Phishing attacks are the most common method of attacking any organization. These types of attacks have been observed in all industries and government entities. The latest infiltration campaign used by Iranian state sponsored hackers has been named, “The Return of the Charming Kitten.” In this particular effort, hackers have targeted individuals in organizations that have been involved in economic and military sanctions against the Islamic Republic of Iran. These targets include politicians, civil and human rights activists and journalists globally to take over and use their email accounts for their dis-information campaigns.
These attacks have also targeted US Presidential campaigns, which may and will cause more damage as the November 2020 Election Day nears. This group has added new spearfishing techniques in an apparent ramp-up in operations.
These state backed hackers are using several ways to initiate their attacks. These methods can be categorized into a couple of tactics:
- The first is to launch phishing attacks through unknown email or social media messaging accounts.
- The second is to launch attacks through email or social media messaging accounts of public figures, which have already been hacked by the attackers.
- A third tactic sends an SMS message to a victim that uses a Sender ID of “Live Recover” and contains an alert about a third party who has attempted to compromise the victim’s email account. The message requests the victim for account verification through an attached malicious link.
These adversaries have been active since 2011 and are known to cyber security analysts by the names: APT35, Ajax Security Team, NewsBeef, Newscaster and Phosphorous.
The hackers have used various ruses in this campaign. A notable example by these threat actors is that they created a fake email account impersonating a New York Times journalist to send fake interview invitations to victims and trick them into accessing phishing websites. The phishing emails have included URLs in the text for selected social media and newspaper websites. This allowed hackers to guide victims to these websites, while collecting information on their devices, such as IP address, operating system and browser. The attackers send a link to a file containing the interview questions, which was hosted on Google sites, to avoid raising suspicion and evade payload detections. From the Google page, the victim is then taken to a phishing page at a two-step check-in site. This is where the victim is asked for login credentials, including 2 factor authentication codes. In these attacks, the threat actors have used pdfReader.exe, an unsophisticated backdoor through modified Windows Firewall and Registry setting.
An analysis of these phishing websites used in these state sponsored attacks, reveal the use of servers that had been used with previous Charming Kitten phishing attacks. The method of managing and sending HTTP requests is additional proof that Charming Kitten is behind these operations. As usual, an Iranian spokesperson for Iran’s mission to the United Nations has denied operating or supporting any hacking operations. And any firm claiming otherwise, “are merely participants in the disinformation campaign against Iran.”
Red Sky Alliance has been has analyzing and documenting cyber threats for 8 years and has investigated the APT35 and can provide extensive historical and current documentation. Please feel free to contact our analysis team for research assistance and Cyber Threat Analysis Center (CTAC) support for your organization.
Red Sky Alliance’s RedXray services can provide any organization with a daily cyber threat notification report covering nine (9) cyber threat categories, so threats can be mitigated before they become expensive problems. RedXRay monitors daily our intelligence feeds to identify threats against your networks, supply chain or target companies/agencies and provides you with an emailed report. How easy is it to order? It can be ordered online in less than 3 minutes and all billing is made monthly by credit card by visiting https://wapacklabs.com/redxray.
Red Sky Alliance/Wapack Labs Corporation can help your firm protect against these threats and is now offering Cyber Insurance coverage through Cysurance to help protect your organization and help with recovery expenses. Please feel free to contact us at firstname.lastname@example.org.
Red Sky Alliance is in New Boston, NH USA and is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 888-RED-XRAY or (888)-733-9729, or email email@example.com