Security researchers have linked a late-2020 phishing campaign aimed at stealing credentials from 25 senior professionals at medical research organizations in the United States and Israel to an advanced persistent threat group with links to Iran called Charming Kitten.
The campaign—dubbed BadBlood because of its medical focus and the history of tensions between Iran and Israel–aimed to steal credentials of professionals specializing in genetic, neurology and oncology research, according to new research posted online Wednesday from Proofpoint’s Joshua Miller and the Proofpoint Research Team.
This type of targeting represents a departure for Charming Kitten, (also known as Phosphorus, Ajax or TA453), which—due to its believed alignment with Iran’s Islamic Revolutionary Guard Corps (IRGC)–in the past has primarily put dissidents, academics, diplomats and journalists in its crosshairs, researchers said in the report.
“While this campaign may represent a shift in TA453 targeting overall, it is also possible it may be the result of a specific short-term intelligence collection requirement,” Miller and the team wrote in a report. “BadBlood is aligned with an escalating trend of medical research being increasingly targeted by threat actors.”
Indeed, the medical professionals targeted in the latest campaign “appear to be extremely senior personnel” at their respective organizations, researchers noted. Though Proofpoint hasn’t conclusively determined Charming Kitten’s motives for the attacks, it does seem to be a one-off attempt to gather intelligence that potentially can be used in further phishing campaigns, they said.
History of Bad Behavior
Charming Kitten, believed to be an Iranian state-sponsored APT, has been operating since around 2014, and has built a “vast espionage apparatus” comprised of at least 85 IP addresses, 240 malicious domains, hundreds of hosts and multiple fake entities. Spearphishing and custom malware are among an array of tactics the group uses against victims.
Charming Kitten’s last known attack was uncovered in October when it targeted world leaders attending the Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia, compromising attendees of two conferences in an effort to steal their email credentials.
The group was also seen last July targeting Israeli scholars and U.S. government employees in another credential-stealing effort, and also attacked the re-election effort of former President Donald Trump in various ways.
The latest campaign shows the group using at least some of its usual tricks with a typical goal to steal credentials, Proofpoint has found. Researchers discovered the nefarious activity in December when a threat actor-controlled Gmail account, zajfman.daniel[@]gmail.com, masqueraded as a prominent Israeli physicist and sent e-mails with with the subject “Nuclear weapons at a glance: Israel” to its targets.
The messages included social-engineering lures relating to Israeli nuclear capabilities, as well as a link to a domain controlled by Charming Kitten, 1drv[.]casa, researchers said.
If someone clicks on the URL, it leads to a landing site spoofing Microsoft’s OneDrive service along with an image of a PDF document logo titled “CBP-9075.pdf,” which is actually a malicious file. If someone then tries to view or open the PDF, it delivers a forged Microsoft login page that attempts to harvest user credentials, researchers wrote.
“Attempting to use any other hyperlink in the webpage results in the same redirect to the same forged Microsoft login page, except for the ‘Create one!’ link,” they wrote in the post. “This tab leads to the legitimate Microsoft Outlook ‘Sign Up’ page at hxxps[://]signup.live[.]com.”
If a potential victim gets this far, enters his or her email and clicks “Next,” the page then asks for a password. Once credentials are entered, the user is then redirected to Microsoft’s OneDrive, which hosts the benign “Nuclear weapons at a glance: Israel” document, researchers said.
Other Links to Charming Kitten
In addition to the tactics used in the campaign, researchers said there is other evidence that Charming Kitten is behind the attacks.
The Proofpoint team identified other domains than the one used directly in the attack that they can attribute to the group “with high confidence based on network infrastructure components, campaign timing, and similarity in lure documents,” researchers wrote in the report.
The provided lure documents at the end of the attack chain also share similar, national security themes that are indicative of attacks by the group, they added.
“While researchers were not able to directly correlate all of these domains with phishing campaigns, we judge this activity to be consistent with the BadBlood campaign,” Miller and the Proofpoint team wrote.
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
- April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)