Charming Kittens: Phishing Emails From Iran
Phishing attacks are the most common form of infiltration apparently used by Iranian state-backed hackers to gain access into accounts. The latest campaign of phishing attacks has been named as “The Return of the Charming Kitten”.
In this campaign, hackers have targeted individuals who are involved in economic and military sanctions against the Islamic Republic of Iran as well as politicians, civil and human rights activists and journalists around the world by attempting to take and use their email accounts.
Researchers at Certfa Lab provide a review of the latest wave of organised phishing attacks by Iranian state-backed hackers which succeeded by compromising 2-factor authentication. The newly detailed phishing attack, Certfa Lab says, is related to targeting/hacking the US Presidential campaign, government officials and media targets. The attackers are using different methods to carry out their attacks. These methods can be put into two categories:
- Phishing attacks through unknown email or social media and messaging accounts
- Phishing attacks through email or social media and messaging accounts of public figures, which have been hacked by the attackers
Also known as APT35, Ajax Security Team, NewsBeef, Newscaster, and Phosphorus, the adversary has been active since at least 2011, targeting journalists and activists in the Middle East, as well as organizations in the United States, and entities in the UK, Israel, Iraq, and Saudi Arabia.
Charming Kitten’s new activity indicates that the hacking group continues to target private and government institutions, think tanks, academics and organisations.
In this campaign, the threat actors created a fake account impersonating a New York Times journalist to send fake interview invitations to victims and trick them into accessing phishing websites. The phishing emails contained shortened URLs in the footnotes for various social media links and newspaper websites, which allow hackers to guide victims to legitimate sites while gathering basic information on their devices including their P address, operating system, and browser.
Next, the attackers send a link to a file containing interview questions, which is hosted on Google Sites, to avoid raising suspicion and evade the spam detections. From the Google Site page, the victim is then taken to a phishing page at two-step-checkup.site, where they are asked for login credentials, including two factor authentication (2FA) codes. In these attacks, the threat actor also used pdfReader.exe, an unsophisticated backdoor that achieves persistence through modified Windows Firewall and Registry settings.
Designed to gather victim device data, the malware shows a close relation between its developer and the campaign’s operators.
Analysis of the phishing websites used in these attacks reveal the use of servers previously associated with other Charming Kitten phishing attacks. The method of managing and sending HTTP requests is further evidence that Charming Kitten is behind the operation. These phishing attacks by the Charming Kitten are similar to previous attacks by the group and Certfa believes that they work on the development of a series of malware for their future phishing attack campaign.
Iran denies operating or supporting any hacking operation and a spokesman for the Iran's mission to the United Nations, said that firms claiming otherwise "are merely participants in the disinformation campaign against Iran."
You Might Also Read: