Iranian APT Group Revived Phishing Activities Over Holidays
The group started the new round of attacks at a time when most companies, offices, organizations, etc. were either closed or half-closed during Christmas holidays and, as a result, their technical support and IT departments were not able to immediately review, identify, and neutralize these cyber incidents," the Certfa Lab report notes. "Charming Kitten has taken full advantage of this timing to execute its new campaign to maximum effect."
Charming Kitten, also known as APT35, Phosphorous and Ajax, is one of Iran's top state-sponsored hacking groups. It has been targeting a range of victims and carrying out various cyberespionage campaigns since at least 2013
SMS and Email Messages
The most recent Charming Kitten campaign used SMS messages and phishing emails to deliver malicious links to its targets, according to the report.
In the SMS campaign, the hacking group sent the victims a "Google Account Recovery" message with a malicious phishing link requesting that the targeted victims click the URL to confirm their identity.
"The most important point in this method is the structure of the link in the SMS that seems legitimate: 'hxxps://www.google[.]com/url?q=script.google.com/xxxx,'" the report notes. "At first glance, these links generally cause less suspicion for the targets. After opening the links and several redirections, the victims are led to final phishing domains such as 'mobile[.]recover-session-service[.]site' etc."
"The use of SMS phishing is no surprise and highlights the breadth of social engineering tactics used by threat actors," Dr. Jamie Collier, intelligence analyst at Mandiant Threat Intelligence Security, says. "For many years, Iranian groups have also employed fake social media personas to collect information on individuals and distribute malicious links. It is therefore imperative for security teams to implement security policies and user education programs that account for a wide range of social engineering tactics."
In the case of the email campaign, the researchers note the threat actors used multiple messages and subject lines as lures. For instance, in one case, the attackers sent messages related to New Year's greetings with a malicious URL. When the victims failed to click the link, the attackers sent different emails on topics related to Iranian and Israeli politics.
When the victims clicked these malicious links, they were directed to a fake domain with a login page that attempted to steal the targets' Microsoft Outlook, Gmail or Yahoo credentials, the report notes.
Other Attacks
In August 2020, security researchers at ClearSky Cyber Security found the Charming Kitten group was using LinkedIn and WhatsApp messages to contact potential victims to build trust and persuade them to visit a phishing page
In July 2020, Charming Kitten accidentally exposed videos related to the group's hacking and training activities. These videos detailed the group's spear-phishing campaigns against U.S. Navy and State Department personnel
Cablelinenetwork
Follow more hacking news on our website: www.glennstechworld.com/
Sponsored by: GET NORDVPN: go.nordvpn.net/aff_c?offer_id=288&aff_id=41380&url… USE COUPON CODE:
cablelinenetwork USE THE CODE SO YOU CAN GET 70% off 3-year plan + 1 month free
Iranian APT Group Revived Phishing Activities Over Holidays
The group started the new round of attacks at a time when most companies, offices, organizations, etc. were either closed or half-closed during Christmas holidays and, as a result, their technical support and IT departments were not able to immediately review, identify, and neutralize these cyber incidents," the Certfa Lab report notes. "Charming Kitten has taken full advantage of this timing to execute its new campaign to maximum effect."
Charming Kitten, also known as APT35, Phosphorous and Ajax, is one of Iran's top state-sponsored hacking groups. It has been targeting a range of victims and carrying out various cyberespionage campaigns since at least 2013
SMS and Email Messages
The most recent Charming Kitten campaign used SMS messages and phishing emails to deliver malicious links to its targets, according to the report.
In the SMS campaign, the hacking group sent the victims a "Google Account Recovery" message with a malicious phishing link requesting that the targeted victims click the URL to confirm their identity.
"The most important point in this method is the structure of the link in the SMS that seems legitimate: 'hxxps://www.google[.]com/url?q=script.google.com/xxxx,'" the report notes. "At first glance, these links generally cause less suspicion for the targets. After opening the links and several redirections, the victims are led to final phishing domains such as 'mobile[.]recover-session-service[.]site' etc."
"The use of SMS phishing is no surprise and highlights the breadth of social engineering tactics used by threat actors," Dr. Jamie Collier, intelligence analyst at Mandiant Threat Intelligence Security, says. "For many years, Iranian groups have also employed fake social media personas to collect information on individuals and distribute malicious links. It is therefore imperative for security teams to implement security policies and user education programs that account for a wide range of social engineering tactics."
In the case of the email campaign, the researchers note the threat actors used multiple messages and subject lines as lures. For instance, in one case, the attackers sent messages related to New Year's greetings with a malicious URL. When the victims failed to click the link, the attackers sent different emails on topics related to Iranian and Israeli politics.
When the victims clicked these malicious links, they were directed to a fake domain with a login page that attempted to steal the targets' Microsoft Outlook, Gmail or Yahoo credentials, the report notes.
Other Attacks
In August 2020, security researchers at ClearSky Cyber Security found the Charming Kitten group was using LinkedIn and WhatsApp messages to contact potential victims to build trust and persuade them to visit a phishing page
In July 2020, Charming Kitten accidentally exposed videos related to the group's hacking and training activities. These videos detailed the group's spear-phishing campaigns against U.S. Navy and State Department personnel
4 years ago | [YT] | 4