Charming Kittens: Phishing Emails From Iran

Uploaded on 2020-02-20 in INTELLIGENCE-Hot Spots-Iran, FREE TO VIEW, TECHNOLOGY--Hackers

Phishing attacks are the most common form of infiltration apparently used by Iranian state-backed hackers to gain access into accounts. The latest campaign of phishing attacks has been named as “The Return of the Charming Kitten”.  
 
In this campaign, hackers have targeted individuals who are involved in economic and military sanctions against the Islamic Republic of Iran as well as politicians, civil and human rights activists and journalists around the world by attempting to take and use their email accounts. 
 
Researchers at Certfa Lab provide a review of the latest wave of organised phishing attacks by Iranian state-backed hackers which succeeded by compromising 2-factor authentication. The newly detailed phishing attack, Certfa Lab says, is related to targeting/hacking the US Presidential campaign, government officials and media targets.  The attackers are using different methods to carry out their attacks. These methods can be put into two categories:
  • Phishing attacks through unknown email or social media and messaging accounts
  • Phishing attacks through email or social media and messaging accounts of public figures, which have been hacked by the attackers
Also known as APT35, Ajax Security Team, NewsBeef, Newscaster, and Phosphorus, the adversary has been active since at least 2011, targeting journalists and activists in the Middle East, as well as organizations in the United States, and entities in the UK, Israel, Iraq, and Saudi Arabia.
 
Charming Kitten’s new activity indicates that the hacking group continues to target private and government institutions, think tanks, academics and organisations.  
 
In this campaign, the threat actors created a fake account impersonating a New York Times journalist to send fake interview invitations to victims and trick them into accessing phishing websites. The phishing emails contained shortened URLs in the footnotes for various social media links and newspaper websites, which allow hackers to guide victims to legitimate sites while gathering basic information on their devices including their P address, operating system, and browser. 
 
Next, the attackers send a link to a file containing interview questions, which is hosted on Google Sites, to avoid raising suspicion and evade the spam detections. From the Google Site page, the victim is then taken to a phishing page at two-step-checkup.site, where they are asked for login credentials, including two factor authentication (2FA) codes. In these attacks, the threat actor also used pdfReader.exe, an unsophisticated backdoor that achieves persistence through modified Windows Firewall and Registry settings.
 
Designed to gather victim device data, the malware shows a close relation between its developer and the campaign’s operators. 
 
Analysis of the phishing websites used in these attacks reveal the use of servers previously associated with other Charming Kitten phishing attacks. The method of managing and sending HTTP requests is further evidence that Charming Kitten is behind the operation. These phishing attacks by the Charming Kitten are similar to previous attacks by the group and Certfa believes that they work on the development of a series of malware for their future phishing attack campaign.
 
Iran denies operating or supporting any hacking operation and a spokesman for the Iran's mission to the United Nations, said that firms claiming otherwise "are merely participants in the disinformation campaign against Iran."
 
Swiss Info:       CERTFA.com      IT Security News:         Security Week
 
You Might Also Read: 
 
Iranian Hackers Attack The US, Not Very Badly:
 
Iran's Cyberwar Response To Its General's Killing
 
 
« The Cloud Is Beginning To Attract Criminal Extortion
Trends In Cyber Security Technology »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CERT.GOV.AZ

CERT.GOV.AZ

Azerbaijan Government Computer Incident Response Team

CyberOne

CyberOne

CyberOne (formerly Comtact) offer a full stack cybersecurity service to ensure our customers understand the cyber maturity of their organisation.

Red Canary

Red Canary

Red Canary continuously monitors and analyzes your endpoints, users, and network activity in search of threatening behaviors, patterns, and signatures.

US Cyber Range

US Cyber Range

US Cyber Range is a scalable, cloud-hosted infrastructure providing students with virtual environments for realistic, hands-on cybersecurity labs and exercises.

Softcat

Softcat

Softcat offer a broad portfolio of IT services and solutions covering Hybrid Infrastructure, Cyber Security, Digital Workspace and IT Intelligence.

CyberUK

CyberUK

CYBERUK is the UK government’s flagship cyber security event and the authoritative event for the UK’s cyber security community.

CWSI

CWSI

CWSI provide a full suite of enterprise mobility, security and productivity solutions to many of Ireland and the UK’s most respected organisations across a wide range of industry and public sectors.

A&O IT Group

A&O IT Group

A&O IT Group provide IT support and services including IT Managed Services, IT Project Services, IT Engineer Services and Cyber Security.

SnapAttack

SnapAttack

SnapAttack is a collaborative platform that empowers your security team to stay ahead of threats, create robust behavioral analytics for your existing tools, and prove your program's effectiveness.

Telstra

Telstra

Telstra is one of the world's leading telecommunications and technology companies, offering a wider range of services from networks and cloud solutions to mobility and enterprise collaboration tools.

c0c0n

c0c0n

c0c0n is the longest running conferences in the area of Information Security and Hacking, in India.

Smarsh

Smarsh

Smarsh products are designed for user-friendly, efficient compliance. From archiving, supervision, and discovery to cybersecurity – Smarsh has you covered.

WBM Technologies

WBM Technologies

WBM Technologies is a Western Canadian leader in the provision of outcomes-driven information technology solutions.

ThreatCaptain

ThreatCaptain

ThreatCaptain is a Cybersecurity Leadership Development Company driven to enhance and illuminate cybersecurity risk through strategic alignment and informed business decision-making.

Waterleaf International

Waterleaf International

Waterleaf provide advanced network and cybersecurity solutions - informed by data sciences. Transforming Connectivity, Security and Information for Municipalities, Government & Enterprise.

Valmet

Valmet

Valmet is a leading global developer and supplier of process technologies, automation and services for the pulp, paper and energy industries.