Charming Kittens: Phishing Emails From Iran

Uploaded on 2020-02-20 in INTELLIGENCE-Hot Spots-Iran, FREE TO VIEW, TECHNOLOGY--Hackers

Phishing attacks are the most common form of infiltration apparently used by Iranian state-backed hackers to gain access into accounts. The latest campaign of phishing attacks has been named as “The Return of the Charming Kitten”.  
 
In this campaign, hackers have targeted individuals who are involved in economic and military sanctions against the Islamic Republic of Iran as well as politicians, civil and human rights activists and journalists around the world by attempting to take and use their email accounts. 
 
Researchers at Certfa Lab provide a review of the latest wave of organised phishing attacks by Iranian state-backed hackers which succeeded by compromising 2-factor authentication. The newly detailed phishing attack, Certfa Lab says, is related to targeting/hacking the US Presidential campaign, government officials and media targets.  The attackers are using different methods to carry out their attacks. These methods can be put into two categories:
  • Phishing attacks through unknown email or social media and messaging accounts
  • Phishing attacks through email or social media and messaging accounts of public figures, which have been hacked by the attackers
Also known as APT35, Ajax Security Team, NewsBeef, Newscaster, and Phosphorus, the adversary has been active since at least 2011, targeting journalists and activists in the Middle East, as well as organizations in the United States, and entities in the UK, Israel, Iraq, and Saudi Arabia.
 
Charming Kitten’s new activity indicates that the hacking group continues to target private and government institutions, think tanks, academics and organisations.  
 
In this campaign, the threat actors created a fake account impersonating a New York Times journalist to send fake interview invitations to victims and trick them into accessing phishing websites. The phishing emails contained shortened URLs in the footnotes for various social media links and newspaper websites, which allow hackers to guide victims to legitimate sites while gathering basic information on their devices including their P address, operating system, and browser. 
 
Next, the attackers send a link to a file containing interview questions, which is hosted on Google Sites, to avoid raising suspicion and evade the spam detections. From the Google Site page, the victim is then taken to a phishing page at two-step-checkup.site, where they are asked for login credentials, including two factor authentication (2FA) codes. In these attacks, the threat actor also used pdfReader.exe, an unsophisticated backdoor that achieves persistence through modified Windows Firewall and Registry settings.
 
Designed to gather victim device data, the malware shows a close relation between its developer and the campaign’s operators. 
 
Analysis of the phishing websites used in these attacks reveal the use of servers previously associated with other Charming Kitten phishing attacks. The method of managing and sending HTTP requests is further evidence that Charming Kitten is behind the operation. These phishing attacks by the Charming Kitten are similar to previous attacks by the group and Certfa believes that they work on the development of a series of malware for their future phishing attack campaign.
 
Iran denies operating or supporting any hacking operation and a spokesman for the Iran's mission to the United Nations, said that firms claiming otherwise "are merely participants in the disinformation campaign against Iran."
 
Swiss Info:       CERTFA.com      IT Security News:         Security Week
 
You Might Also Read: 
 
Iranian Hackers Attack The US, Not Very Badly:
 
Iran's Cyberwar Response To Its General's Killing
 
 
« The Cloud Is Beginning To Attract Criminal Extortion
Trends In Cyber Security Technology »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Leonardo

Leonardo

Leonardo (formerly Finmeccanica) is a global high-tech company in Aerospace, Defence, Security & Information Systems including Cybersecurity & ICT solutions.

Lastline

Lastline

Lastline is the leader in advanced malware protection.

Palo Alto Networks

Palo Alto Networks

Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate.

Cloud53

Cloud53

Cloud53 specialise in improving operational IT through strategic use of Cloud technologies and services.

Professional Information Security Association (PISA)

Professional Information Security Association (PISA)

PISA is an independent and not-for-profit organization for information security professionals, with the primary objective of promoting information security awareness and best practice.

Cybersecurity Professionals

Cybersecurity Professionals

Search vacancies from top cyber security jobs worldwide on CyberSecurity Professionals. View IT security jobs or upload your CV to be seen by recruiters from industry leading firms.

Zamna

Zamna

Zamna (formerly VChain Technology) is an award-winning software company building GDPR compliant identity platforms for the aviation industry.

Venrock

Venrock

Venrock helps entrepreneurs build some of the world's most disruptive, successful companies. We invest in technology: Security, Cloud Services, Big Data, Healthcare IT, AdTech.

Privacera

Privacera

Privacera enables consistent data governance, security, and compliance across all your data services - on-premises and in the cloud - so you can maximize the value of your data.

Vietnamese Security Network (VSEC)

Vietnamese Security Network (VSEC)

Vietnamese Security Network (VSEC) is an information security company providing website vulnerability scanning and monitoring services.

Cyolo

Cyolo

Cyolo’s Secure Access Service Edge (SASE) platform securely connects onsite and remote users to authorized assets, in the organizational network, cloud or IoT environments and even offline networks.

Constella Intelligence

Constella Intelligence

Constella Intelligence provides digital risk protection services to quickly and efficiently disrupt cyber attacks and data breaches before they occur.

Trianz

Trianz

Trianz Cybersecurity Services are Powered by One of the World’s Largest Databases on Digital Transformation. We Understand Evolving Risks, Technologies and Best Practices.

FusionAuth

FusionAuth

FusionAuth is the customer authentication and authorization platform that makes developers' lives awesome.

Complete Cyber

Complete Cyber

Complete Cyber provide professional cybersecurity services and products to help secure your infrastructure, systems and data.

Bureau

Bureau

Bureau is a no-code, identity decisioning platform that offers businesses the complete range of risk, compliance and ongoing fraud monitoring solutions innovated with AI.