Iran-Linked ‘Charming Kitten’ Touts New Spearphishing Tactics

charming kitten iran phishing apt

A campaign first observed last year has ramped up its attack methods and appears to be linked to activity targeting President Trump’s 2020 re-election campaign.

An Iran-linked advanced persistent threat (APT) group tied to attacks on President Trump’s 2020 re-election campaign has added new spearphishing techniques to its arsenal in an apparent ramp-up in operations.

Charming Kitten—which goes by a number of names, including APT35, Ajax Security Team, NewsBeef, Newscaster and Phosphorus—has escalated its volume of phishing attempts as well as added four new impersonation vectors to its campaign, according to a new report by ClearSky Cyber Security.

Security researchers an earlier phase of this Charming Kitten campaign in October 2018, with attacks tailored to elude two-factor authentication to compromise email accounts and start monitoring communications.

Now ClearSky said there are a number of factors that point to the APT’s new methods being a part of the same attacks Microsoft recently observed against e-mail accounts that were later linked to President Trump’s 2020 campaign.

“We evaluate in a medium-high level of confidence, that Microsoft’s discovery and our findings in our previous and existing reports is a congruent operation,” according to the report.

Researchers cited three observations that link the APT group’s actvitites separately observed by both Microsoft and ClearSky. In both cases, the victims were people of interest to Iran in the fields of academic research, human rights and opposition to the Islamic Republic’s regime.

The escalation of attacks also occurred in the same time frame—July to August 2019—that Microsoft identified attacks on email accounts. Specifically, Microsoft researchers reported that a group they called Phosphorus made more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers, and then trying to attack 241 of those accounts.

Additionally, both instances the companies observed separately showed similar attack vectors, according to ClearSky. Those vectors include password-recovery impersonation of the secondary email belonging to the victims; spearphishing emails targeting Microsoft, Google and Yahoo services; and a spearphishing attack via SMS messages.

That last vector indicates that Charming Kitten is gathering phone numbers of the relevant victims to use them in attacks, something Microsoft also noted in its observations.

In addition to these similiarities, ClearSky observed four new aspects to the Charming Kitten campaign that show attackers using more sophisticated impersonation tactics to trick users into disclosing information the bad actors can later use to their advantage.

The first is an impersonation vector a potential victim will receive with an email with a link to Google Sites from an acquaintance, tempting them to download a malicious file so attackers can collect Google credentials, researchers said.

The second new tactic sends an SMS message to a victim that uses a Sender ID of “Live Recover” and contains an alert about a stranger who has attempted to compromise the victim’s email. The message asks for victim verification through an attached malicious link, researchers said.

The third new attack vector shows the attackers trying to present “a sham show” about a North Korean attacker who has attempted to compromise the victim’s Yahoo mail, asking the victim to tap a malicious button to secure his or her account, researchers said.

The fourth new method observed by researchers escalates impersonation efforts in a way the APT group hadn’t used before, they said. In this vector, attackers impersonate security teams of social networks such as Instagram, Facebook and Twitter in attempts to get key authentication factors from the victims, according to ClearSky.

What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.

Suggested articles