The Iran-origin hacking group Charming Kitten has been linked to a series of attacks against Middle East policy experts. The attacks used a fake webinar portal to deceive its victims into deploying new malware, including BASICSTAR and KORKULOADER. However, this is not the first time that the group has added a new malware threat to its arsenal; previously it had added BellaCiao and Sponsor backdoor.
What happened?
- As part of the attacks, the attackers posed as policy experts of the Rasanah International Institute for Iranian Studies to build trust with their targets.
- The phishing emails invited the recipients to join a fake webinar by clicking on a link. Once the recipient clicked on the link, it caused the download of BASICSTAR onto their systems.
- In some cases, WhatsApp and Signal phone numbers under the control of attackers were also offered as alternative methods for contact.
Interestingly, Charming Kitten tailored its attacks to serve different backdoors depending on the operating system of the targeted machines. While Windows users were targeted with the POWERLESS backdoor, Apple macOS users were infected with NokNok malware via a malware-laced VPN application.
Capabilities of BASICSTAR
- BASICSTAR is capable of gathering basic system information, remotely executing commands relayed from a C2 server, and downloading and displaying a decoy PDF file.
- The latest version is written in Visual Basic Script and includes a module to gather an extensive set of information such as installed antivirus and software products, and information regarding the machine BIOS, hardware, and manufacturer details.
Conclusion
For those targeted by Charming Kitten, it is crucial to understand the group’s evolving tactics and techniques. Related indicators, such as YARA rules, to detect and investigate the attacks can be downloaded from the Volexity GitHub page.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/cda3_shutterstock_2264903291.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/92ee_Variation033x-100.jpg)
