Charming Kittens: Phishing Emails From Iran

Phishing attacks are the most common form of infiltration apparently used by Iranian state-backed hackers to gain access into accounts. The latest campaign of phishing attacks has been named as “The Return of the Charming Kitten”.  
 
In this campaign, hackers have targeted individuals who are involved in economic and military sanctions against the Islamic Republic of Iran as well as politicians, civil and human rights activists and journalists around the world by attempting to take and use their email accounts. 
 
Researchers at Certfa Lab provide a review of the latest wave of organised phishing attacks by Iranian state-backed hackers which succeeded by compromising 2-factor authentication. The newly detailed phishing attack, Certfa Lab says, is related to targeting/hacking the US Presidential campaign, government officials and media targets.  The attackers are using different methods to carry out their attacks. These methods can be put into two categories:
  • Phishing attacks through unknown email or social media and messaging accounts
  • Phishing attacks through email or social media and messaging accounts of public figures, which have been hacked by the attackers
Also known as APT35, Ajax Security Team, NewsBeef, Newscaster, and Phosphorus, the adversary has been active since at least 2011, targeting journalists and activists in the Middle East, as well as organizations in the United States, and entities in the UK, Israel, Iraq, and Saudi Arabia.
 
Charming Kitten’s new activity indicates that the hacking group continues to target private and government institutions, think tanks, academics and organisations.  
 
In this campaign, the threat actors created a fake account impersonating a New York Times journalist to send fake interview invitations to victims and trick them into accessing phishing websites. The phishing emails contained shortened URLs in the footnotes for various social media links and newspaper websites, which allow hackers to guide victims to legitimate sites while gathering basic information on their devices including their P address, operating system, and browser. 
 
Next, the attackers send a link to a file containing interview questions, which is hosted on Google Sites, to avoid raising suspicion and evade the spam detections. From the Google Site page, the victim is then taken to a phishing page at two-step-checkup.site, where they are asked for login credentials, including two factor authentication (2FA) codes. In these attacks, the threat actor also used pdfReader.exe, an unsophisticated backdoor that achieves persistence through modified Windows Firewall and Registry settings.
 
Designed to gather victim device data, the malware shows a close relation between its developer and the campaign’s operators. 
 
Analysis of the phishing websites used in these attacks reveal the use of servers previously associated with other Charming Kitten phishing attacks. The method of managing and sending HTTP requests is further evidence that Charming Kitten is behind the operation. These phishing attacks by the Charming Kitten are similar to previous attacks by the group and Certfa believes that they work on the development of a series of malware for their future phishing attack campaign.
 
Iran denies operating or supporting any hacking operation and a spokesman for the Iran's mission to the United Nations, said that firms claiming otherwise "are merely participants in the disinformation campaign against Iran."
 
Swiss Info:       CERTFA.com      IT Security News:         Security Week
 
You Might Also Read: 
 
Iranian Hackers Attack The US, Not Very Badly:
 
Iran's Cyberwar Response To Its General's Killing
 
 
« The Cloud Is Beginning To Attract Criminal Extortion
Trends In Cyber Security Technology »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Information Security Group (ISG) - Royal Holloway

Information Security Group (ISG) - Royal Holloway

The Information Security Group, Royal Holloway, University of London, is an Academic Centres of Excellence in Cyber Security Research.

RCMP Cybercrime Strategy

RCMP Cybercrime Strategy

The RCMP Cybercrime Strategy sets out in an Operational Framework and Action Plan to combat cybercrime.

Zentera Systems

Zentera Systems

Zentera's CoIP (Cloud over IP) solution offers enterprise-grade networking and security for the emerging cloud ecosystem.

National Authority Against Electronic Attacks (NAAEA) - Greece

National Authority Against Electronic Attacks (NAAEA) - Greece

The National Authority Against Electronic Attacks (NAAEA) is the national computer emergency response team of Greece.

GuardSquare

GuardSquare

GuardSquare is the global reference in mobile application protection. We develop premium software for the protection of mobile applications against reverse engineering and hacking.

Cybersecurity Collaborative

Cybersecurity Collaborative

CyberSecurity Collaborative is a forum for CISOs to share information that will collectively make us stronger, and better equipped to protect our enterprises from those seeking to damage them.

Bavarian IT Security Cluster

Bavarian IT Security Cluster

The Bavarian IT Security Cluster works to build regional IT security competencies and increase the competitiveness and market opportunities of its member companies.

Capula

Capula

Capula is a leading system integration specialist for control, automation and operational IT systems across all applications and industry sectors.

RvA

RvA

RvA is the national accreditation body for the Netherlands. The directory of members provides details of organisations offering certification services for ISO 27001.

GreenWorld Technologies

GreenWorld Technologies

GreenWorld has a proven track record in industry leading IT asset management, secure data destruction and remarketing.

Netsecurity AS

Netsecurity AS

Netsecurity is a Norwegian owned company focused and specialised within IT security and cybersecurity-as-a service.

British Blockchain Association (BBA)

British Blockchain Association (BBA)

British Blockchain Association (BBA) is a not-for-profit organisation that promotes evidence-based adoption of Blockchain and Distributed Ledger Technologies (DLT) across the public and private sector

Global Health Care Anti-Fraud Network (GHCAN)

Global Health Care Anti-Fraud Network (GHCAN)

The mission of GHCAN is to promote partnerships and communications between international organizations in order to reduce and eliminate health care fraud around the world.

Stronghold Cyber Security

Stronghold Cyber Security

Stronghold Cyber Security is a consulting company that specializes in NIST 800, the Cybersecurity Framework and the Cybersecurity Maturity Model Certification.

GeoEdge

GeoEdge

GeoEdge is the premier provider of ad security and quality solutions for the online and mobile advertising ecosystem.

Hadrian

Hadrian

Hadrian is modernizing offensive security practices with automation, making them faster and more scalable. Equipped with the hacker’s perspective, companies can now know what their critical risks are.