Charming Kittens APT Group Targets Security Researchers From the US and the Middle East

• The primary targets include researchers from the US, Middle East, and France.
• The impersonation methods used in this new campaign include four different techniques such as spear-phishing emails with a link to Google Sites, Smishing, Login attempt alert message, and Social networking impersonation.

What is the issue?

Researchers from ClearSky have found that the Iran-linked cyber-espionage group ‘Charming Kittens’ which previously targeted the U.S. presidential campaign, is also targeting security analysts who have exposed the group’s operations.

Who are the targets?

Charming Kittens, also known as APT35, Ajax, and Phosphorus is targeting individuals of interest to Iran in the fields of academic research, human rights, and journalists. The primary targets include researchers from the US, Middle East, and France.

Modus Operandi

Researchers noted that the group has employed three different spear-phishing methods in this new campaign. The three methods include:

• Social media impersonation
• Spear-phishing using social engineering
• Sear-phishing via SMS messages.

The impersonation method includes four different techniques such as spear-phishing emails with a link to Google Sites, Smishing, Login attempt alert message, and Social networking impersonation.

Emails with a link to Google Sites

The first impersonation technique used in this campaign includes a message with a link pretending to arrive from Google Drive or from a fellow researcher. Once the recipients click on the link to download a file located at the Google Sites, the victim's Google credentials are harvested.

Smishing

The second impersonation technique is Smishing, where an SMS message is sent to the target which uses a Sender ID of 'Live Recover'. The message contains an alert about a compromise attempt and requests the target to verify it through an attached link. Upon clicking on the link, the victims are redirected to an address shortening service where their credentials are harvested.

Login attempt alert message

The third technique employs a fake unauthorized login attempt alert message which claims that a person from North Korea has attempted to compromise the victim’s Yahoo email account. The message then urges the victim to secure his/her account.

Social networking impersonation

The final technique includes social networking impersonation. In this method, the group has created additional phishing sites pretending to be Instagram, Facebook, and Twitter accounts.

Researchers noted that one of the sites of the infrastructure included an open directory at port 80 which contained files relevant for the deployment of different phishing sites.

“As a part of our monitoring of suspicious activity, we have discovered this week that the group has built additional phishing sites, pretending to be not only Instagram but also Facebook and Twitter. In one of the sites of the infrastructure, discovered by us, w3-schools[.]org, we have found an open directory at port 80 which contains files relevant for the deployment of different phishing sites,” researchers said.