Security researchers have linked a late 2020 phishing campaign aimed at stealing credentials from 25 senior professionals at medical research organizations in the United States and Israel to an advanced persistent threat group with links to Iran called Charming Kitten.
The campaign is named BadBlood, because of its medical focus and the history of tensions between Iran and Israel–aimed to steal credentials of professionals specializing in genetic, neurology and oncology research. This type of targeting represents a departure for Charming Kitten, (also known as Phosphorus, Ajax or TA453), which due to its believed alignment with Iran’s Islamic Revolutionary Guard Corps (IRGC) in the past has primarily put dissidents, academics, diplomats and journalists in its crosshairs, researchers said in the report.
“While this campaign may represent a shift in TA453 targeting overall, it is also possible it may be the result of a specific short-term intelligence collection requirement,” the team wrote in a report. “BadBlood is aligned with an escalating trend of medical research being increasingly targeted by threat actors.”
The medical professionals targeted in the latest campaign “appear to be extremely senior personnel” at their respective organizations, researchers noted. Though cyber threat firm, Proofpoint has not conclusively determined Charming Kitten’s motives for the attacks, it does seem to be a one-off attempt to gather intelligence that potentially can be used in further phishing campaigns.
Charming Kitten, believed to be an Iranian state-sponsored APT, has been operating since 2014, and has built a “vast espionage apparatus” comprised of at least 85 IP addresses, 240 malicious domains, hundreds of hosts and multiple fake entities. Spearphishing and custom malware are among an array of tactics the group uses against victims. Charming Kitten’s last known attack was uncovered in October 2020 when it targeted world leaders attending the Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia, compromising attendees of two conferences in an effort to steal their email credentials.
The group was also seen July 2020 targeting Israeli scholars and U.S. government employees in another credential-stealing effort, and also attacked the re-election effort of former President Donald Trump in various ways.
The latest campaign shows the group using at least some of its usual tricks with a typical goal to steal credentials, Proofpoint has found. Researchers discovered the nefarious activity in December when a threat actor-controlled Gmail account, zajfman.daniel[@]gmail.com, masqueraded as a prominent Israeli physicist and sent e-mails with with the subject “Nuclear weapons at a glance: Israel” to its targets.
The messages included social-engineering lures relating to Israeli nuclear capabilities, as well as a link to a domain controlled by Charming Kitten, 1drv[.]casa. If someone clicks on the URL, it leads to a landing site spoofing Microsoft’s OneDrive service along with an image of a PDF document logo titled “CBP-9075.pdf,” which is actually a malicious file. If someone then tries to view or open the PDF, it delivers a forged Microsoft login page that attempts to harvest user credentials, researchers wrote.
“Attempting to use any other hyperlink in the webpage results in the same redirect to the same forged Microsoft login page, except for the ‘Create one!’ link,” they wrote in the post. “This tab leads to the legitimate Microsoft Outlook ‘Sign Up’ page at hxxps[://]signup.live[.]com.”
If a potential victim gets this far, enters his or her email and clicks “Next,” the page then asks for a password. Once credentials are entered, the user is then redirected to Microsoft’s OneDrive, which hosts the benign “Nuclear weapons at a glance: Israel” document, researchers stated.
In addition to the tactics used in the campaign, researchers said there is other evidence that Charming Kitten is behind the attacks. The Proofpoint team identified other domains than the one used directly in the attack that they can attribute to the group “with high confidence based on network infrastructure components, campaign timing, and similarity in lure documents,” researchers wrote in the report.
The provided lure documents at the end of the attack chain also share similar, national security themes that are indicative of attacks by the group, they added. “While researchers were not able to directly correlate all of these domains with phishing campaigns, we judge this activity to be consistent with the BadBlood campaign,” the Proofpoint team wrote.
Red Sky Alliance has been has analyzing and documenting cyber threats and groups for over 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Many past tactics are reused in current malicious campaigns.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
• Website: https://www.wapacklabs.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
TR-21-108-001Charming_Kitten.pdf
https://threatpost.com/charming-kitten-pounces-on-researchers/165129/
Comments