Charming Kittens: Phishing Emails From Iran

Uploaded on 2020-02-20 in INTELLIGENCE-Hot Spots-Iran, FREE TO VIEW, TECHNOLOGY--Hackers

Phishing attacks are the most common form of infiltration apparently used by Iranian state-backed hackers to gain access into accounts. The latest campaign of phishing attacks has been named as “The Return of the Charming Kitten”.  
 
In this campaign, hackers have targeted individuals who are involved in economic and military sanctions against the Islamic Republic of Iran as well as politicians, civil and human rights activists and journalists around the world by attempting to take and use their email accounts. 
 
Researchers at Certfa Lab provide a review of the latest wave of organised phishing attacks by Iranian state-backed hackers which succeeded by compromising 2-factor authentication. The newly detailed phishing attack, Certfa Lab says, is related to targeting/hacking the US Presidential campaign, government officials and media targets.  The attackers are using different methods to carry out their attacks. These methods can be put into two categories:
  • Phishing attacks through unknown email or social media and messaging accounts
  • Phishing attacks through email or social media and messaging accounts of public figures, which have been hacked by the attackers
Also known as APT35, Ajax Security Team, NewsBeef, Newscaster, and Phosphorus, the adversary has been active since at least 2011, targeting journalists and activists in the Middle East, as well as organizations in the United States, and entities in the UK, Israel, Iraq, and Saudi Arabia.
 
Charming Kitten’s new activity indicates that the hacking group continues to target private and government institutions, think tanks, academics and organisations.  
 
In this campaign, the threat actors created a fake account impersonating a New York Times journalist to send fake interview invitations to victims and trick them into accessing phishing websites. The phishing emails contained shortened URLs in the footnotes for various social media links and newspaper websites, which allow hackers to guide victims to legitimate sites while gathering basic information on their devices including their P address, operating system, and browser. 
 
Next, the attackers send a link to a file containing interview questions, which is hosted on Google Sites, to avoid raising suspicion and evade the spam detections. From the Google Site page, the victim is then taken to a phishing page at two-step-checkup.site, where they are asked for login credentials, including two factor authentication (2FA) codes. In these attacks, the threat actor also used pdfReader.exe, an unsophisticated backdoor that achieves persistence through modified Windows Firewall and Registry settings.
 
Designed to gather victim device data, the malware shows a close relation between its developer and the campaign’s operators. 
 
Analysis of the phishing websites used in these attacks reveal the use of servers previously associated with other Charming Kitten phishing attacks. The method of managing and sending HTTP requests is further evidence that Charming Kitten is behind the operation. These phishing attacks by the Charming Kitten are similar to previous attacks by the group and Certfa believes that they work on the development of a series of malware for their future phishing attack campaign.
 
Iran denies operating or supporting any hacking operation and a spokesman for the Iran's mission to the United Nations, said that firms claiming otherwise "are merely participants in the disinformation campaign against Iran."
 
Swiss Info:       CERTFA.com      IT Security News:         Security Week
 
You Might Also Read: 
 
Iranian Hackers Attack The US, Not Very Badly:
 
Iran's Cyberwar Response To Its General's Killing
 
 
« The Cloud Is Beginning To Attract Criminal Extortion
Trends In Cyber Security Technology »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Panda Security

Panda Security

Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions.

European Council on Foreign Relations (ECFR)

European Council on Foreign Relations (ECFR)

ECFR is a pan-European think-tank conducting research and promote informed debate on European foreign policy. Cyber security is becoming an intrinsic element of foreign policy debate.

Digittrade

Digittrade

Digittrade develop and produce external encrypted hard disks and secure communications apps.

LightEdge Solutions

LightEdge Solutions

LightEdge’s highly-trained compliance and security experts take the guesswork out of keeping your business protected.

Lirex

Lirex

Lirex offer consulting and outsourcing services, complete design, construction and maintenance of ICT solutions and systems including cybersecurity.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CYRail

CYRail

CYRail project will analyse threats targeting Railway infrastructures and develop innovative attack detection and alerting techniques.

Zerodium

Zerodium

Zerodium is the leading exploit acquisition platform for premium zero-days and advanced cybersecurity research.

Conduent

Conduent

Conduent delivers mission-critical technology services and solutions on behalf of businesses and governments. Solution areas include digital risk and compliance.

ScienceSoft

ScienceSoft

ScienceSoft is a provider of software development and IT consulting services including Information Security.

TransUnion

TransUnion

TransUnion is a global information and insights company that makes it possible for businesses and consumers to transact with confidence.

Venticento

Venticento

Venticento is an IT company specialized in consulting and network support and assistance for companies that need to make their business processes more effective.

Proaxiom

Proaxiom

Proaxiom are focused on erasing cyber driven panic paralysis for Small and Medium Enterprises through brilliant cyber technologies which drive productivity and support growth.

Kolide

Kolide

Kolide ensures that if a device isn't secure, it can't access your apps.

SentryMark

SentryMark

Stay a Step Ahead of Emerging Threats. Deviate from the traditional siloed defenses and get the proactive and responsive cybersecurity solutions and services you deserve with SentryMark today.

Aikido Security

Aikido Security

Aikido is the no-nonsense security platform for developers. Secure your code, cloud, and runtime in one central system. Find and fix vulnerabilities automatically.