Iran-linked APT group Charming Kitten targets journalists, political and human rights activists

Iran-linked APT group Charming Kitten has been targeting journalists, political and human rights activists in a new campaign.

Researchers from Certfa Lab reports have spotted a new cyber espionage campaign carried out by Iran-linked APT group Charming Kitten that has been targeting journalists, political and human rights activists.

Iran-linked Charming Kitten group, (aka APT35, Phosphorus, Newscaster, and Ajax Security Team) made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011 targeting journalists and activists in the Middle East, as well as organizations in the United States, and entities in the U.K., Israel, Iraq, and Saudi Arabia.

The campaign uncovered by Certfa Lab is related to previously observed targeted attacks against a U.S. candidate, government officials, and expatriate Iranians.

“Certfa Lab has identified a new series of phishing attacks from the Charming Kitten¹, the Iranian hacking group who has a close relationship with Iran’s state and Intelligence services. According to our investigation, these new attacks have targeted journalists, political and human rights activists.” reads the post published by Certfa Lab. “These phishing attacks are in line with the previous activities of the group that companies like ClearSky² and Microsoft³ have reported in detail in September and October 2019.”

The Iranian hackers are still focusing to target private and government institutions, think tanks and academic institutions, organizations with ties to the Baha’i community, and many others in European countries, the United States, United Kingdom, and Saudi Arabia.

The attackers created a fake account impersonating New York Times journalist Farnaz Fassihi (former Wall Street Journal (WSJ) journalist) to send fake interview proposals or invitations to a webinar to the target individuals and trick them into accessing phishing websites. 

The spear-phishing messages use links in the footnotes, including social media links, WSJ and Dow Jones websites, that are all in the short URL format. When the victims click on them, they are redirected to legitimate addresses while getting basic information about the victim’s device (i.e. IP address, Operating System, and browser) that could be used to prepare the attack against the victim’s devices.

Then, the attackers send a link to a page containing interview questions that is hosted on Google Sites, a common trick to evade detection.

Once the victims clicked the download button on the Google Site page, they will be redirected to another fake page in two-step-checkup[.]site domain where login credential details of his/her email such as the password and two factor authentication (2FA) code are requested.

Attackers employed a backdoor named “pdfreader.exe,” it was first uploaded to VirusTotal by an anonymous user on 3 October 2019. The malware gathers victim device data and achieves persistence through modified Windows Firewall and Registry settings. Experts pointed out that the malware is linked to operators behind past Charming Kitten campaigns. 

“The similarities between the method of managing and sending HTTP requests in “two-step-checkup[.]site” server with the latest techniques used by this group is further evidence of Charming Kitten’s connection to these attacks.” continues the report.”In this technique, if sent requests to the host server of the phishing kit are denied, the user is directed to a legitimate website like Google, Yahoo!, or Outlook by “301 Moved Permanently” and “Found redirect 302” responses. As a result, this method makes it harder for different pages and sections of phishing websites to be exposed to the public.”

The recently discovered phishing attacks by the Charming Kitten are in line with previous activities conducted by the group. Certfa speculates that the APT group is working on the development of a series of malware for their future phishing attack campaign.

“The Charming Kitten used Google Sites for their phishing attack, and Certfa believes that they work on the development of a series of malware for their future phishing attack campaign.” concludes the report.

Pierluigi Paganini

(SecurityAffairs – Charming Kitten, APT)

Share On