Busting Charming Kitten Secrets - Common TTPs and Recent Changes

What has been revealed?

• The six subgroups are identified as PHOSPHORUS (being the largest), APT42 (aka Yellow Garuda), NemesisKitten, Tortoiseshell (aka TA453), APT35, TA455 (aka Yellow DEV13), and ImperialKitten.
• All these subgroups have similar targeting preferences, which include academics, diplomates, human rights workers, policymakers, and researchers having domain expertise in the Middle East.
• For a change, some recent campaigns have targeted travel agencies, medical researchers, a realtor, and aerospace engineers, among others.

Common attack methods

• The Charming Kitten cluster registers fake email accounts that thematically match their targets. The cluster also prefers to include web beacons in its email campaigns. 
• To initiate the attack, the group prefers having a genuine conversation with the target; a tactic used in over 60 campaigns. 
• The group mostly uses credential-harvesting links that aim at obtaining access to the inbox and its contents.
• For some attacks, the subgroups waited for several weeks of genuine conversations before delivering the malicious links, while some delivered them immediately in the first email.

New tactics adopted

• In several cases, instead of using its typical pattern of actor-controlled accounts, the TA453 was observed using genuine (compromised) accounts to send emails. 
• It was further observed using URL shorteners bnt2[.]live and nco2[.]live, which are operated and controlled by the group itself.
• The cluster was observed using GhostEcho (CharmPower), a PowerShell backdoor, to target several diplomatic missions across Tehran.
• Furthermore, TA453 leveraged the persona Samantha Wolf while spreading social engineering lures, including car accidents and other complaints to the U.S. and European politicians and government agencies, a Middle Eastern energy company, and a U.S.-based academic.

Ending notes