charming kitten - X-Industry - Red Sky Alliance2024-03-29T05:16:02Zhttps://redskyalliance.org/xindustry/feed/tag/charming+kittenIranian Hackers Masquerade as Journalistshttps://redskyalliance.org/xindustry/iranian-hackers-masquerade-as-journalists2024-01-23T17:05:00.000Z2024-01-23T17:05:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12364136897,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12364136897,RESIZE_400x{{/staticFileLink}}" width="250" alt="12364136897?profile=RESIZE_400x" /></a>High-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the UK, and the US have been targeted by an Iranian cyber espionage group called Mint Sandstorm since November 2023. The threat actor "used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files," the Microsoft Threat Intelligence team reported in a recent analysis, describing it as a "technically and operationally mature subgroup of Mint Sandstorm."</p>
<p>The attacks, in select cases, involve the use of a previously undocumented backdoor named MediaPl, indicating ongoing endeavors by Iranian threat actors to refine their post-intrusion tradecraft. Mint Sandstorm, also known as APT35, Charming Kitten, TA453, and Yellow Garuda, is known for its adept social engineering campaigns, even resorting to legitimate but compromised accounts to send bespoke phishing emails to prospective targets. It's assessed to be affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC).<a href="#_ftn1">[1]</a></p>
<p>See: <a href="https://redskyalliance.org/xindustry/charming-kitten-s-new-malware">https://redskyalliance.org/xindustry/charming-kitten-s-new-malware</a></p>
<p>The sub-cluster, per the researcher engages in resource-intensive social engineering to single out journalists, researchers, professors, and other individuals with insights on security and policy issues of interest to Tehran. The latest intrusion set is characterized by the use of lures pertaining to the Israel-Hamas war, sending innocuous emails under the guise of journalists and other high-profile individuals to build rapport with targets and establish a level of trust before attempting to deliver malware to targets. Microsoft investigators said it is likely the campaign is an effort undertaken by the nation-state threat actor to collect perspectives on events related to the war.</p>
<p>The use of breached accounts belonging to the people they sought to impersonate in order to send the email messages is a new Mint Sandstorm tactic not seen before, as is its use of the curl command to connect to the command-and-control (C2) infrastructure. Should the targets engage with the threat actor, they are sent a follow-up email containing a malicious link that points to a RAR archive file, which, when opened, leads to the retrieval of Visual Basic scripts from the C2 server to persist within the targets' environments.</p>
<p>The attack chains further pave the way for custom implants like MischiefTut or MediaPl, the former of which was first disclosed by Microsoft in October 2023. Implemented in PowerShell, MischiefTut is a basic backdoor that can run reconnaissance commands, write outputs to a text file, and download additional tools on a compromised system. The first recorded use of the malware dates back to late 2022. MediaPl poses as Windows Media Player and is designed to transmit encrypted communications to its C2 server and launch command(s) it has received from the server. "Mint Sandstorm continues to improve and modify the tooling used in targets' environments, activity that might help the group persist in a compromised environment and better evade detection," per the Microsoft spokesman. "The ability to obtain and maintain remote access to a target's system can enable Mint Sandstorm to conduct a range of activities that can adversely impact the confidentiality of a system."</p>
<p>The disclosure comes as Dutch newspaper De Volkskrant revealed earlier this month that Erik van Sabben, a Dutch engineer recruited by Israel and US intelligence services, may have used a water pump to deploy an early variant of the now-infamous Stuxnet malware in an Iranian nuclear facility sometime in 2007.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2024/01/iranian-hackers-masquerades-as.html">https://thehackernews.com/2024/01/iranian-hackers-masquerades-as.html</a></p></div>TA453, Charming Kitten, APT42, Mint Sandstorm, Yellow Garudahttps://redskyalliance.org/xindustry/noknok-charming-kitten2023-07-12T16:12:30.000Z2023-07-12T16:12:30.000ZCyberDoghttps://redskyalliance.org/members/CyberDog189<div><p><a href="{{#staticFileLink}}12132149263,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12132149263,RESIZE_400x{{/staticFileLink}}" alt="12132149263?profile=RESIZE_400x" width="250" /></a>In mid-May 2023, TA453 - also known publicly as Charming Kitten, APT42, Mint Sandstorm, Yellow Garuda - sent a benign conversation lure masquerading as a senior fellow with the Royal United Services Institute (RUSI) to the public media contact for a nuclear security expert at a US-based think tank focused on foreign affairs. The email solicited feedback on a project called “Iran in the Global Security Context” and requested permission to send a draft for review. The initial email also mentioned participation from other well-known nuclear security experts TA453 has previously masqueraded as, in addition to offering an honorarium. TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho. When given the opportunity, TA453 ported its malware and attempted to launch an Apple flavored infection chain called NokNok by Proofpoint. TA453 also employed multi-persona impersonation in its unending espionage quest.<a href="#_ftn1">[1]</a> </p>
<p>Link to full Proofpoint report: <a href="{{#staticFileLink}}12131556886,original{{/staticFileLink}}">IR-23-189-001_TA453.pdf</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.proofpoint.com/us/blog/threat-insight/welcome-new-york-exploring-ta453s-foray-lnks-and-mac-malware">https://www.proofpoint.com/us/blog/threat-insight/welcome-new-york-exploring-ta453s-foray-lnks-and-mac-malware</a></p></div>Charming Kitten's New Malwarehttps://redskyalliance.org/xindustry/charming-kitten-s-new-malware2023-05-01T16:00:00.000Z2023-05-01T16:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}11038585896,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11038585896,RESIZE_400x{{/staticFileLink}}" width="250" alt="11038585896?profile=RESIZE_400x" /></a>The nasty Iranian nation-state APT group known as Charming Kitten is actively targeting multiple victims in the US, Europe, the Middle East, and India with a new malware named BellaCiao, adding to its ever-expanding list of custom tools. Discovered by Bitdefender Labs, BellaCiao is a "Personalized dropper" that is capable of delivering other malware payloads onto a victim machine based on commands received from an actor-controlled server. The attackers appear to customize their attacks for each victim, including the malware binary, which contains hardcoded information such as company names, custom subdomains, and IP addresses. Debugging information and file paths from a compilation that was left inside the executable suggest the attackers are organizing their victims into folders by country code, such as IL (Israel), TR (Turkey), AT (Austria), IN (India), or IT (Italy).<a href="#_ftn1">[1]</a></p>
<p>Charming Kitten, also known as APT35, Cobalt Illusion, Educated Manticore, ITG18, Mint Sandstorm (née Phosphorus), TA453, and Yellow Garuda, is an Iranian state-sponsored APT group associated with the Islamic Revolutionary Guard Corps (IRGC). Over the years, the group has utilized various means to deploy backdoors in systems belonging to various industry verticals.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/charming-kitten-is-a-bad-kitty">https://redskyalliance.org/xindustry/charming-kitten-is-a-bad-kitty</a></p>
<p>See: <a href="https://redskyalliance.org/xindustry/charming-kitten-does-not-make-a-good-pet">https://redskyalliance.org/xindustry/charming-kitten-does-not-make-a-good-pet</a></p>
<p>The development comes as Microsoft attributed the threat actor to retaliatory attacks aimed at critical infrastructure entities in the US between late 2021 to mid-2022 using malware such as CharmPower, Drokbk, and Soldier. Recently, Check Point disclosed Mint Sandstorm's use of an updated version of the PowerLess implant to strike organizations in Israel using Iraq-themed phishing lures. Custom-developed malware, or 'tailored' malware, is generally harder to detect because it is specifically crafted to evade detection and contains unique code.</p>
<p>The exact method used to achieve initial intrusion is currently undetermined. However, it's suspected to entail the exploitation of known vulnerabilities in internet-exposed applications like Microsoft Exchange Server or Zoho ManageEngine.</p>
<p>A successful breach is followed by the threat actor attempting to disable Microsoft Defender using a PowerShell command and establishing persistence on the host via a service instance.</p>
<p>Bitdefender said it also observed Charming Kitten downloading two Internet Information Services (IIS) modules capable of processing incoming instructions and exfiltrating credentials.</p>
<p>BellaCiao, for its part, is notable for performing a DNS request every 24 hours to resolve a subdomain to an IP address that's subsequently parsed to extract the commands to be executed on the compromised system. The resolved IP address is like the real public IP address but with slight modifications that allow BellaCiao to receive further instructions.</p>
<p>It communicates "with an attacker-controlled DNS server that sends malicious hard-coded instructions via a resolved IP address that mimics the target's real IP address. Additional malware is dropped via hard-coded instructions rather than traditional download." Depending on the resolved IP address, the attack chain leads to the deployment of a web shell that supports the ability to upload and download arbitrary files and run commands.</p>
<p>Also identified is a second variant of BellaCiao that substitutes the web shell for a Plink tool, a command-line utility for PuTTY that is designed to establish a reverse proxy connection to a remote server and implement similar backdoor features.</p>
<p>The campaign, which has targeted many industries and company sizes, is assessed to be an outcome of opportunistic attacks, where BellaCiao is customized and deployed against carefully selected victims of interest following indiscriminate exploitation of vulnerable systems. This type of attack is particularly effective against systems that are not well-maintained, have outdated software or security patches, have weak passwords, or, in many cases, smaller companies that do not have detection and response capabilities. With the increasing popularity of vulnerability exploits and automated attacks, even small companies can become a target for state-affiliated threat actors. The best protection against modern attacks involves implementing a defense-in-depth architecture.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a><br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> <br /> Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2023/04/charming-kittens-new-bellaciao-malware.html">https://thehackernews.com/2023/04/charming-kittens-new-bellaciao-malware.html</a></p></div>Charming Kitten, Does Not Make a Good Pethttps://redskyalliance.org/xindustry/charming-kitten-does-not-make-a-good-pet2020-03-01T21:07:04.000Z2020-03-01T21:07:04.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}3978010892,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}3978010892,RESIZE_710x{{/staticFileLink}}" alt="3978010892?profile=RESIZE_710x" width="278" height="197" /></a>Phishing attacks are the most common method of attacking any organization. These types of attacks have been observed in all industries and government entities. The latest infiltration campaign used by Iranian state sponsored hackers has been named, “The Return of the Charming Kitten.” In this particular effort, hackers have targeted individuals in organizations that have been involved in economic and military sanctions against the Islamic Republic of Iran. These targets include politicians, civil and human rights activists and journalists globally to take over and use their email accounts for their dis-information campaigns.<a href="#_ftn1">[1]</a> </p>
<p>These attacks have also targeted US Presidential campaigns, which may and will cause more damage as the November 2020 Election Day nears. This group has added new spearfishing techniques in an apparent ramp-up in operations.</p>
<p>These state backed hackers are using several ways to initiate their attacks. These methods can be categorized into a couple of tactics:</p>
<ul>
<li>The first is to launch phishing attacks through unknown email or social media messaging accounts.</li>
<li>The second is to launch attacks through email or social media messaging accounts of public figures, which have already been hacked by the attackers.</li>
<li>A third tactic sends an SMS message to a victim that uses a Sender ID of “Live Recover” and contains an alert about a third party who has attempted to compromise the victim’s email account. The message requests the victim for account verification through an attached malicious link.</li>
</ul>
<p>These adversaries have been active since 2011 and are known to cyber security analysts by the names: APT35, Ajax Security Team, NewsBeef, Newscaster and Phosphorous.</p>
<p>The hackers have used various ruses in this campaign. A notable example by these threat actors is that they created a fake email account impersonating a New York Times journalist to send fake interview invitations to victims and trick them into accessing phishing websites.<a href="#_ftn2">[2]</a> The phishing emails have included URLs in the text for selected social media and newspaper websites. This allowed hackers to guide victims to these websites, while collecting information on their devices, such as IP address, operating system and browser. The attackers send a link to a file containing the interview questions, which was hosted on Google sites, to avoid raising suspicion and evade payload detections. From the Google page, the victim is then taken to a phishing page at a two-step check-in site. This is where the victim is asked for login credentials, including 2 factor authentication codes. In these attacks, the threat actors have used pdfReader.exe, an unsophisticated backdoor through modified Windows Firewall and Registry setting.</p>
<p>An analysis of these phishing websites used in these state sponsored attacks, reveal the use of servers that had been used with previous Charming Kitten phishing attacks. The method of managing and sending HTTP requests is additional proof that Charming Kitten is behind these operations. As usual, an Iranian spokesperson for Iran’s mission to the United Nations has denied operating or supporting any hacking operations. And any firm claiming otherwise, “are merely participants in the disinformation campaign against Iran.”</p>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats for 8 years and has investigated the APT35 and can provide extensive historical and current documentation. Please feel free to contact our analysis team for research assistance and Cyber Threat Analysis Center (CTAC) support for your organization.</p>
<p>Red Sky Alliance’s RedXray services can provide any organization with a daily cyber threat notification report covering nine (9) cyber threat categories, so threats can be mitigated before they become expensive problems. RedXRay monitors daily our intelligence feeds to identify threats against your networks, supply chain or target companies/agencies and provides you with an emailed report. How easy is it to order? It can be ordered online in less than 3 minutes and all billing is made monthly by credit card by visiting <a href="https://wapacklabs.com/redxray">https://wapacklabs.com/redxray</a>.</p>
<p>Red Sky Alliance/Wapack Labs Corporation can help your firm protect against these threats and is now offering Cyber Insurance coverage through Cysurance to help protect your organization and help with recovery expenses. Please feel free to contact us at sales@wapacklabs.com.</p>
<p>Red Sky Alliance is in New Boston, NH USA and is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 888-RED-XRAY or (888)-733-9729, or email <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p><em>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/wapacklabs/">https://www.linkedin.com/company/wapacklabs/</a><br /> Twitter: <a href="https://twitter.com/wapacklabs?lang=en">https://twitter.com/wapacklabs?lang=en</a></em></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://threatpost.com/charming-kitten-uses-fake-interview-requests-to-target-public-figures/152628/">https://threatpost.com/charming-kitten-uses-fake-interview-requests-to-target-public-figures/152628/</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.bleepingcomputer.com/news/security/charming-kitten-hackers-impersonate-journalist-in-phishing-attacks/">https://www.bleepingcomputer.com/news/security/charming-kitten-hackers-impersonate-journalist-in-phishing-attacks/</a></p></div>