Iranian Hackers Target Journalists in New Phishing Campaign
The Iran-linked threat group know as “Charming Kitten” has been targeting journalists, political and human rights activists in a new campaign aimed at stealing email account credentials, Certfa Lab reports.
Also known as APT35, Ajax Security Team, NewsBeef, Newscaster, and Phosphorus, the adversary has been active since at least 2011, targeting journalists and activists in the Middle East, as well as organizations in the United States, and entities in the U.K., Israel, Iraq, and Saudi Arabia.
The newly detailed phishing attack, Certfa Lab says, is related to previously observed activity targeting a U.S. presidential candidate, government officials, media targets, and prominent expatriate Iranians, where the hackers employed an updated spear phishing technique.
Charming Kitten’s new activity indicates that the hacking group continues to target private and government institutions, think tanks, academics, organizations with ties to the Baha’i community, and others from Europe, the United States, and Saudi Arabia, Certfa Lab noted in a blog post.
As part of the campaign, the threat actor created a fake account impersonating New York Times journalist Farnaz Fassihi (former Wall Street Journal (WSJ) journalist), to send fake interview invitations to victims and trick them into accessing phishing websites.
The phishing emails contained shortened URLs in the footnotes (social media links, WSJ and Dow Jones websites), which allow hackers to guide victims to legitimate sites while gathering basic information on their devices (IP address, operating system, and browser).
Next, the attackers send a link to a file containing interview questions, which is hosted on Google Sites, to avoid raising suspicion and evade the spam detections. From the Google Site page, the victim is then taken to a phishing page at two-step-checkup[.]site, where they are asked for login credentials, including two factor authentication (2FA) codes.
In these attacks, the threat actor also used pdfReader.exe, an unsophisticated backdoor that achieves persistence through modified Windows Firewall and Registry settings. Designed to gather victim device data, the malware shows a close relation between its developer and the campaign’s operators.
Analysis of the phishing websites used in these attacks reveal the use of servers previously associated with other Charming Kitten phishing attacks. The method of managing and sending HTTP requests is further evidence that Charming Kitten is behind the operation.
“This new series of phishing attacks by the Charming Kitten are in line with previous activities seen from their group. For example, we identified similar settings for the servers used in this attack with their previous campaigns. The Charming Kitten used Google Sites for their phishing attack, and Certfa believes that they work on the development of a series of malware for their future phishing attack campaign,” Certfa Lab concludes.
SecurityWeek has contacted Certfa Labs for additional details on the campaign but had heard back by the time of publishing.