Iran-Backed Charming Kitten Stages Fake Webinar Platform to Ensnare Targets – Dark Reading
Conflicts in the Middle East, Ukraine, and other areas of simmering geopolitical tensions have made policy experts the latest target of cyber operations conducted by state-sponsored groups.
An Iran-linked group known as Charming Kitten, CharmingCypress, and APT42 recently targeted Middle East policy experts in the region as well as in the US and Europe, using a phony webinar platform to compromise its targeted victims, incident response services firm Volexity stated in an advisory published this month.
Charming Kitten is well known for its extensive social engineering tactics, including low-and-slow social engineering attacks against think tanks and journalists to gather political intelligence, the firm stated.
The group often dupes is targets into installing Trojan-rigged VPN applications to gain access to the fake webinar platform and other sites, resulting in the installation of malware. Overall, the group has embraced the long confidence game, says Steven Adair, co-founder and president of Volexity.
"I don't know if that is necessarily sophisticated and advanced, but it is a lot of effort," he says. "It's more advanced and more sophisticated than your average attack by a significant margin. It's a level of effort and dedication ... that is definitely different and uncommon ... to go to that much effort for such a specific set of attacks."
Policy experts are a frequently targeted by nation-state groups. The Russia-linked ColdRiver group, for example, has targeted nongovernmental organizations, military officers, and other experts using social engineering to gain the confidence of the victim and then following up with a malicious link or malware. In Jordan, targeted exploitation reportedly by government agencies used the Pegasus spyware program developed by the NSO Group and targeted journalists, digital-rights lawyers, and other policy experts.
Other companies have also described Charming Kitten/CharmingCypress' tactics. In a January advisory, Microsoft warned that the group, which it calls Mint Sandstorm, had targeted journalists, researchers, professors, and other experts covering security and policy topics of interest to the Iranian government.
"Operators associated with this subgroup of Mint Sandstorm are patient and highly skilled social engineers whose tradecraft lacks many of the hallmarks that allow users to quickly identify phishing emails," Microsoft stated. "In some instances of this campaign, this subgroup also used legitimate but compromised accounts to send phishing lures."
The group has been active since at least 2013, has strong links to the Islamic Revolutionary Guard Corps (IRGC), and has not been directly involved in the cyber-operational aspect of the conflict between Israel and Hamas, according to cybersecurity firm CrowdStrike.
"Unlike in the Russia-Ukraine war, where known cyber operations have directly contributed to the conflict, those involved in the Israel-Hamas conflict have not directly contributed to Hamas military operations against Israel," the company stated in its "2024 Global Threat Report" released on Feb. 21.
These attacks usually start with spear-phishing and end with a combination of malware delivered to the target's system, according to an advisory from Volexity, which calls the group CharmingCypress. In September and October 2023, CharmingCypress used a number of typo-squatted domains addresses similar to legitimate domains to pose as officials from the International Institute of Iranian Studies (IIIS) to invite policy experts to a webinar. The initial email demonstrated the low-and-slow approach of CharmingCypress, eschewing any malicious link or attachment and inviting the targeted professional to reach out through other channels of communications, such as WhatsApp and Signal.
Using in-depth spearphishing, CharmingCypress aims to convince policy experts to install malware. Source: Volexity
The attacks target Middle East policy experts worldwide, with Volexity encountering a majority of attacks against European and US professionals, Adair says.
"They are quite aggressive," he says. "They'll even set up entire email chains or a phishing scenario where they're looking for comment and there's other people maybe three, four, or five people on that email thread with the exception of the target they're definitely trying to build rapport."
The long con eventually delivers a payload. Volexity identified five different malware families associated with the threat. The PowerLess backdoor is installed by the Windows version of the malware-laden virtual private network (VPN) application, which uses PowerShell to allow files to be transferred and executed, as well as targeting specific data on the system, logging keystrokes, and capturing screenshots. A macOS version of the malware is dubbed NokNok, while a separate malware chain using a RAR archive and LNK exploit leads to a backdoor named Basicstar.
The group's approach to social engineering definitely embodies the "persistence" piece of the advanced persistent threat (APT). Volexity sees a "constant barrage" of attacks, so policy experts have to become even more suspicious of cold contacts, Adair says.
Doing so will be difficult, as many policy experts are academics in constant contact with students or members of the public and are not used to being strict with their contacts, he says. Yet they should definitely think before opening documents or entering credentials into a site reached through an unknown link.
"At the end of the day, they have to get the person to click something or open something, which if I want you to review a paper or something like that, means ... being very wary of links and files," Adair says. "If I have to enter my credentials at any point in time, or authorize something that should be a major red flag. Similarly, if I'm being asked to download something, that should be a pretty big red flag."
In addition, policy experts need to understand that CharmingCypress will continue to target them even if its attempts fail, Volexity stated.
"This threat actor is highly committed to conducting surveillance on their targets in order to determine how best to manipulate them and deploy malware," the company stated in its advisory. "Additionally, few other threat actors have consistently churned out as many campaigns as CharmingCypress, dedicating human operators to support their ongoing efforts."
Originally posted here:
Iran-Backed Charming Kitten Stages Fake Webinar Platform to Ensnare Targets - Dark Reading
- PM: Iran dumbfounded by Israeli strikes, saw investment in proxies go down the tubes - The Times of Israel - December 22nd, 2024 [December 22nd, 2024]
- Iran could build nuclear weapon, Trump told by White House - The Telegraph - December 22nd, 2024 [December 22nd, 2024]
- The year ahead in the Middle East: A weakened Iran has big implications for China - The Conversation - December 22nd, 2024 [December 22nd, 2024]
- The Iran-led axis of resistance in the aftermath of Syrias upheaval - Al Jazeera English - December 22nd, 2024 [December 22nd, 2024]
- PM vows escalated fight against Houthis; officials said urging direct attack on Iran - The Times of Israel - December 22nd, 2024 [December 22nd, 2024]
- Analysis: The Islamic State and Iran remain determined to attack the US - Long War Journal - December 22nd, 2024 [December 22nd, 2024]
- Khamenei says Iran does not have or need proxy forces in Middle East - The Times of Israel - December 22nd, 2024 [December 22nd, 2024]
- Iran plagued by energy crisis partially caused by strikes attributed to Israel - The Times of Israel - December 22nd, 2024 [December 22nd, 2024]
- US imposes sanctions on Iran and Houthi-related targets - Reuters - December 22nd, 2024 [December 22nd, 2024]
- Christmas in Tehran During the 1979 Iran Hostage Crisis - The New Yorker - December 22nd, 2024 [December 22nd, 2024]
- Women Being Sent to the Gallows in Alarming Numbers in Iran - Center for Human Rights in Iran - December 22nd, 2024 [December 22nd, 2024]
- Trump Reportedly Offers To Hold High-level Nuclear Talks With Iran - i24NEWS - December 22nd, 2024 [December 22nd, 2024]
- Iran pauses the process to implement a new, stricter headscarf law for women, official says - The Associated Press - December 22nd, 2024 [December 22nd, 2024]
- Documents captured from Hamas reveal Iran's complex weapons smuggling network - The Jerusalem Post - December 22nd, 2024 [December 22nd, 2024]
- UN pushes for Iran nuclear deal talks, says 'time of the essence' - Reuters.com - December 22nd, 2024 [December 22nd, 2024]
- Netanyahu: 'Just as we acted forcefully against Iran's axis of evil, we will act against Houthis' - The Jerusalem Post - December 22nd, 2024 [December 22nd, 2024]
- The Middle East Is in Chaos. Iran Is Focused on the Veil. - Foreign Policy - December 22nd, 2024 [December 22nd, 2024]
- Iran expands weaponization capabilities critical for employing nuclear bomb - Fox News - December 22nd, 2024 [December 22nd, 2024]
- Iran: Only Three Days of Electricity and Gasoline Per Week - Iran Focus - December 22nd, 2024 [December 22nd, 2024]
- Iran celebrates 3rd anniversary of Yalda Nights UNESCO designation - Tehran Times - December 22nd, 2024 [December 22nd, 2024]
- Its proxies pummeled, Iran is suddenly more vulnerable than ever. Will it go nuclear? - The Times of Israel - December 22nd, 2024 [December 22nd, 2024]
- FIFA hails all-women crowd of 45K at game in Iran - ESPN - December 22nd, 2024 [December 22nd, 2024]
- Two charged in connection with Iran-backed drone strike that killed 3 US troops in the Middle East - The Associated Press - December 22nd, 2024 [December 22nd, 2024]
- Syrians have every right to hate us Iranians | Iran International - - December 22nd, 2024 [December 22nd, 2024]
- UN monitor says reviving Iran deal now irrelevant, since Tehran on cusp of nuke - The Times of Israel - December 22nd, 2024 [December 22nd, 2024]
- Syria has been liberated from Russia and Iran but outsiders still threaten its new freedom - The Guardian - December 22nd, 2024 [December 22nd, 2024]
- Western sabotage intended to create chaos in Iran - Tehran Times - December 22nd, 2024 [December 22nd, 2024]
- Iran throws its support behind Assad as rebels expand their shock offensive in Syria - NBC News - December 2nd, 2024 [December 2nd, 2024]
- Iran says insecurity in Syria will spread beyond borders - - December 2nd, 2024 [December 2nd, 2024]
- Iran to begin enriching uranium with thousands of advanced centrifuges, UN watchdog says - The Associated Press - December 2nd, 2024 [December 2nd, 2024]
- Rebels in Syria take advantage of Israels successes against a weakened Iran axis - The Times of Israel - December 2nd, 2024 [December 2nd, 2024]
- Avoiding the next front: Iraqs fight to stay out of the Israel-Iran conflict - European Council on Foreign Relations - December 2nd, 2024 [December 2nd, 2024]
- How to Avoid a Nuclear Crisis with Iran - Stimson Center - December 2nd, 2024 [December 2nd, 2024]
- Iran, Europeans test diplomacy with Trump term looming - Reuters - December 2nd, 2024 [December 2nd, 2024]
- Iran says it will keep military advisers in Syria amid rebel advances - The Times of Israel - December 2nd, 2024 [December 2nd, 2024]
- Trumps chance for a major breakthrough in Iran-West relations - Bulletin of the Atomic Scientists - December 2nd, 2024 [December 2nd, 2024]
- Hezbollah killed his son. Now hes suing Iran for him and 46 other American victims - The Times of Israel - December 2nd, 2024 [December 2nd, 2024]
- With Trump Returning and Hezbollah Weakened, Iran Strikes a Conciliatory Tone - The New York Times - December 2nd, 2024 [December 2nd, 2024]
- Iran and Europe seek to break nuclear impasse before return of Trump - The Guardian - December 2nd, 2024 [December 2nd, 2024]
- Saudi Arabia Strengthens Ties With Both US and Iran Before Trump - Bloomberg - December 2nd, 2024 [December 2nd, 2024]
- British Fan of Homeland Series Is Convicted of Spying for Iran - The New York Times - December 2nd, 2024 [December 2nd, 2024]
- Iran looks to invest $6B in Afghanistan as route to China: What to know - Al-Monitor - December 2nd, 2024 [December 2nd, 2024]
- Daniel Khalife was a British soldier who spied for Iran and wanted to be a double agent - BBC.com - December 2nd, 2024 [December 2nd, 2024]
- Iran-EAEU FTA to be implemented in early 2025 - Tehran Times - December 2nd, 2024 [December 2nd, 2024]
- Amid lull in tit-for -tat missile exchange, Iran and Israel seek to control the online narrative - The Conversation - December 2nd, 2024 [December 2nd, 2024]
- Rage Against the Regime: Iran review these stories of resistance are utterly astonishing - The Guardian - December 2nd, 2024 [December 2nd, 2024]
- Iran hints at weaponization ahead of nuclear talks with Europe | Iran International - - December 2nd, 2024 [December 2nd, 2024]
- What Iran and Hezbollah lost in war with Israel - - December 2nd, 2024 [December 2nd, 2024]
- Israel and Iran Seemed on the Brink of a Bigger War. Whats Holding Them Back? - The New York Times - November 24th, 2024 [November 24th, 2024]
- Iran's Air1Air reprimanded over flight suspension - ch-aviation - November 24th, 2024 [November 24th, 2024]
- Pop icon Googoosh is a voice for women in Iran - DW (English) - November 24th, 2024 [November 24th, 2024]
- Israel kills wanted Hezbollah commander behind the establishment of Iraqs Iran-backed militias - Long War Journal - November 24th, 2024 [November 24th, 2024]
- Iran Braces for Trump Reset With Economy Buckling From Sanctions - Bloomberg - November 24th, 2024 [November 24th, 2024]
- Iran to hold nuclear talks with Britain, France, Germany on Nov. 29 - Kyodo News Plus - November 24th, 2024 [November 24th, 2024]
- Iran says it immediately activated new, advanced centrifuges after IAEA censure - The Times of Israel - November 24th, 2024 [November 24th, 2024]
- Iran preparing to respond to Israel's Oct. 26 attack - Khamenei's aide - - November 24th, 2024 [November 24th, 2024]
- United Nations nuclear agency again condemns Iran for failing to fully cooperate - NPR - November 24th, 2024 [November 24th, 2024]
- Iran is preparing to respond to Israel adviser to Supreme Leader Khamenei - The Times of Israel - November 24th, 2024 [November 24th, 2024]
- Iran says it is activating new centrifuges after being condemned by UN nuclear watchdog - CNN - November 24th, 2024 [November 24th, 2024]
- Iran to "substantially increase" uranium enrichment capacity over IAEA rebuke led by U.S. and allies - CBS News - November 24th, 2024 [November 24th, 2024]
- Iran defies international pressure, increasing its stockpile of near weapons-grade uranium, UN says - The Associated Press - November 24th, 2024 [November 24th, 2024]
- Iran offers to cap sensitive uranium stock as IAEA resolution looms - Reuters - November 24th, 2024 [November 24th, 2024]
- Iran has ambitions in Western Sahara. Trump can contain them by bolstering ties with Morocco. - Atlantic Council - November 24th, 2024 [November 24th, 2024]
- Israeli rabbi kidnapped in UAE, sparking fears of Iran's involvement - - November 24th, 2024 [November 24th, 2024]
- Iran's President calls on Pope Francis to use influence to stop war in Middle East - Reuters - November 24th, 2024 [November 24th, 2024]
- American-Israeli families sue Iran, Hamas and Hezbollah in federal court - Middle East Eye - November 24th, 2024 [November 24th, 2024]
- Norwegian guard at US Embassy in Oslo arrested over allegations of spying for Russia and Iran - CNN - November 24th, 2024 [November 24th, 2024]
- Iran categorically rejects allegations of involvement in murder of Abu Dhabi rabbi - The Times of Israel - November 24th, 2024 [November 24th, 2024]
- Iran: EU widens restrictive measures in view of Iran support of the Russian war of aggression against Ukraine and lists one individual and four... - November 24th, 2024 [November 24th, 2024]
- Student Charged With Spying on US Embassy for Russia, Iran - Newsweek - November 24th, 2024 [November 24th, 2024]
- Russia sends Yemeni mercenaries to fight in Ukraine after they were tricked into signing up for war by Iran-backed Houthis: report - New York Post - November 24th, 2024 [November 24th, 2024]
- Did We Do Enough? Airmen Heed Lessons from Their Air Victory over Iran - Air & Space Forces Magazine - November 24th, 2024 [November 24th, 2024]
- Guard at U.S. Embassy in Norway Accused of Spying for Russia and Iran - The New York Times - November 24th, 2024 [November 24th, 2024]
- Is Iran's Khamenei signaling readiness for new deal as Trump threat looms large? - Al-Monitor - November 24th, 2024 [November 24th, 2024]
- Iran signals willingness to halt stockpile expansion, Grossi says - World Nuclear News - November 24th, 2024 [November 24th, 2024]
- Iran set to launch advanced centrifuges after IAEA censure for noncooperation - The Times of Israel - November 24th, 2024 [November 24th, 2024]
- The winds of change are blowing in Iran - The Spectator - November 24th, 2024 [November 24th, 2024]
- Iran says German-Iranian died before execution was reported - BBC.com - November 5th, 2024 [November 5th, 2024]
- Iran is now dangerously vulnerable to the consequences of another attack on Israel - Business Insider - November 5th, 2024 [November 5th, 2024]
- Federal agencies say Russia and Iran are ramping up influence campaigns targeting US voters - The Associated Press - November 5th, 2024 [November 5th, 2024]