If you have received an email from “Samantha Wolf” - you have become a target of a not-so-charming cyberespionage campaign by Charming Kitten, also known as TA453, APT42, and Phosphorus. Proofpoint discovered that the threat actor has widened its target to include government officials, politicians, medical researchers, and critical infrastructure.

Diving into details

Since 2020, Charming Kitten has been conducting campaigns that are different from its usual techniques and victimology, including malware, compromised credentials, and confrontational lures. 
  • Proofpoint tracked six subgroups of APT42 differentiated mainly by infrastructure, victimology, and techniques. The researchers observed at least 60 campaigns this year, which relied on benign conversations to initiate contact with targets.
  • While some of the subgroups wait for weeks before sending the malicious links, some deliver the links immediately. 

A look into the techniques 

The lures by attackers primarily include car accidents and general complaint themes to European and U.S. government entities and politicians, a U.S.-based academic, and a Middle Eastern energy firm.
  • A Charming Kitten subgroup leveraged compromised credentials to target people instead of using actor-controlled accounts. 
  • However, the group operated actor-controlled URL shorteners, which redirected to the usual APT42 credential harvesting pages. 
  • Throughout the fall of 2021, the threat actors delivered the PowerShell backdoor GhostEcho to a multitude of diplomatic missions across Tehran.
  • Also known as CharmPower, the malware is the first-stage loader for further cyberespionage activities.
  • In the confrontational social engineering lures category, Charming Kitten has been using the persona 'Samantha Wolf' to get the target to respond by playing on their sense of uncertainty and fear. 

Latest TA453 campaigns

  • Just a few days back, Human Rights Watch and Amnesty International’s Security Lab published a report stating that Charming Kitten has been targeting Middle East-based politicians, journalists, researchers, academics, diplomats, and human rights activists. The threat actor delivered the phishing link via WhatsApp, which led to fake login pages mimicking Yahoo, Facebook, and Google login pages. 
  • In another September campaign, APT42 came up with a new phishing tactic dubbed Multi-Persona Impersonation (MPI). The technique used the ‘psychological principle of social proof’ to add a layer of authenticity to lure targets easier.

The bottom line

Charming Kitten is another APT involved in cyberespionage campaigns, which is constantly upgrading its tools, techniques, and procedures. Just as the attack surface is expanding, the gang is expanding and changing its priorities too. Proofpoint surmises that these campaigns will continue into the future, leading to more hostile and kinetic operations.
Cyware Publisher