Charming Kitten, also referred to as Phosphorous and UNC788, is an Iran-based threat actor group that has been active since 2012. It is one of the most active and persistent threat actors that primarily relies on impersonating log-in pages of legitimate webmail services to collect credentials from its targets. Despite being consistent for over a decade, the group also has a history of operational security (OpSec) errors that disclosed its tactics, techniques, and procedures (TTPs). This includes the malware used by the group to expand its toolset.
What’s the new discovery?
Errors in OpSec enabled researchers to discover multiple new tools that were used by Charming Kitten in late 2021. One of these tools is used to grab data from targeted Telegram accounts.
Researchers also found that the threat actors had used tactics of a now-defunct cybercriminal group—Iran’s Islamic Revolutionary Guard Corps (IRGC)—to conduct a surveillance operation in 2021.
Besides these, the group has also been found using macro-enabled Word document template files to spread malware since March 2022, a new TTP not previously associated with Charming Kitten.
About the Telegram grabber tool
Researchers claim that the capabilities of the new Telegram grabber tool overlap with those of PINEFLOWER, an Android malware used by Charming Kitten.
It has been used against some domestic targets in 2021 to obtain specific access to Telegram messages and contacts.
It is written in C++ and uses the open-source Telegram Database Library (TDLib). The tool has been designed to exfiltrate information such as messages, associated media, and contact data from victims’ Telegram accounts.
The tool has options to view the password hint and send an access code via the victim’s recovery email address. This enables the attackers to gain unauthorized access to a Telegram account and proceed further.
The exfiltrated data is stored within a SQLite database and in JSON format.
Macro-enabled Word document templates
Between January and March, the attackers were observed using macro-enabled Word document template files to drop malicious payloads.
This was the first time that the attackers were found using remote template injection as part of their attack sequence.
The document lures covered a variety of themes in nuclear energy and weapons related to Turkey, U.S. shipping ports, and Iran’s relationship with the Taliban.
Many of these lures used material sourced from legitimate news and media sites.
Once these malicious macros are enabled, they caused the download of the PowerShell backdoor named CharmPower.
Charming Kitten continues to add new tools to its arsenal. With the discovery of new tactics, researchers highlight that the attackers have made efforts to stage various parts of the infection chain remotely.
For more detailed information on attackers’ techniques and mitigation measures, organizations can refer to the MITRE ATT&CK framework.