The Iran-based hacking group Charming Kitten has resurfaced with a new campaign that uses fake interviews to target public figures to launch phishing attacks and steal victims’ email-account information.
In a report released Wednesday, security researchers at Certfa Lab say they discovered the Iranian APT group targeting public figures such as political and human rights activists with new attacks aimed at stealing their email credentials and sniffing around for info about their contacts and networks, the company wrote in a blog post.
Certfa—who has been tracking the group since 2018–also observed Charming Kitten in the process of designing a malware for Windows machines, though it’s currently unknown who it will target and how grand the scope will be, researchers wrote.
“Our research indicates the Charming Kitten is still trying to target private and government institutions, think tanks and academic institutions, organizations with ties to the Baha’i community, and many others in European countries, the United States, United Kingdom, Saudi Arabia, to extract information from them,” they wrote in the report.
The Iranian group—which goes by a number of names, including APT35, Ajax Security Team, NewsBeef, Newscaster and Phosphorus–is known for politically-motivated and socially engineered attacks and often uses phishing as an attack vector.
Security researchers from Microsoft and ClearSky, respectively, last reported the group trying to hack into email accounts tied to the Trump 2020 re-election campaign as well as ramping up these efforts with new spearphishing tactics.
The latest campaign has several stages, the first of which shows Charming Kitten posing as a former Wall Street Journal journalist and emailing a victim to ask for an interview in an effort to gain trust.
This type of campaign is typical for the APT group, researchers wrote, which often tries to trick targets by linking emails tied to phishing campaigns to current or political events or groups that will interest the victim.
“In one of the cases, the hackers forged the New York Times journalist Farnaz Fassihi’s identity as a Wall Street Journal reporter–where she used to work–to send interview request emails to victims and guide them to their phishing websites,” researchers wrote in the report.
These initial emails include links that appear legitimate—such as those to social media, WSJ or Dow Jones websites—in a short URL format. Actually, if the victim clicks on them, the hackers can steal basic information about the victim’s device such as IP address, the type of OS, and the browser, researchers wrote. “This is a common method of gathering information by hackers in order to prepare for the main attacks based on the victims’ devices,” they said.
Once trust is established, hackers send their victim an exclusive link as a file that contains the interview questions. In the case Certfa observed, the link was hosted on Google Sites in “a relatively new tactic” that hackers have begun using in the past year so targets trust the destination domain, as well as to “evade spam detections,” according to researchers.
Once a victim clicks the download button from the malicious Google Site page, the campaign directs the target to another fake page in a two-step-checkup[.]site domain. In this step, phishing kits—such as Modlishka–request login credential details of the victim’s email, such as the password and two factor authentication code, researchers said.
In addition to the target and the style of the campaign, this use of phishing kits and the “two-step-checkup[.]site” method of managing and sending HTTP requests also are footprints of a Charming Kitten-styled attack, according to Certfa, whose researchers have observed the Iranian group using these tactics before in previous activity.
The latter technique especially is designed so the hackers can avoid detection, researchers wrote.
“In this technique, if sent requests to the host server of the phishing kit are denied, the user is directed to a legitimate website like Google, Yahoo!, or Outlook by ‘301 Moved Permanently’ and ‘Found redirect 302’ responses,” researchers wrote in their report. “As a result, this method makes it harder for different pages and sections of phishing websites to be exposed to the public.”