Ten Years Top: Charming Kitten's Tale of Cybercrime
Research and Analysis • Jun 16, 2023
We use cookies to improve your experience. Do you accept?
Research and Analysis • Jun 16, 2023
Origin: 2014
Aliases: Newscaster, Parastoo, iKittens, Group 83, NewsBeef, G0058, APT35, PHOSPHORUS, Yellow Garuda, TA453, UNC788, ITG18
Key Target Sectors: Government, Defense, Technology, Military, and Diplomacy
Attack Vectors: Spearphishing, Luring, Social Engineering
Attack Region: North America, Eastern Europe, and the Middle East
Malware Used: BellaCiao, GhostEcho, Hyperscraper, PowerLess, LittleLooter, StoneDrill, MacDownloader
Vulnerabilities Exploited: CVE-2021-44228, Log4Shell (CVE-2021-45046), CVE-2022-47966, CVE-2022-47986, PaperCut bug
Tools Used: BitLocker, DiskCryptor, Fast Reverse Proxy (FRP)
Charming Kitten (aka APT35) is an Iran-based APT group engaged in both credential theft and cyberespionage operations. This group has alleged ties to Islamic Revolutionary Guard Corps (IRGC) that undertakes persistent espionage operations to surveil Iranians and foreign citizens who have strategic value aligned with their geopolitical motives. Operational since 2014, the threat group mostly targets individuals, academics, journalists, activists, think tankers, military and government, institutes, and organizations in the U.S., Europe, and the Middle East.
In 2019, when APT35’s attacks were rampant and it was named behind multiple attacks aimed at several academic institutions in the U.S., France, and the Middle East region, Microsoft took over its infrastructure including 99 domains the attackers used in their malicious campaigns. However, it did not completely break them.
In 2022 alone, researchers claimed to have documented more than 60 campaigns carried out on behalf of the group. Proofpoint, in a report, pointed at six subgroups of Charming Kitten identified and characterized by their infrastructure, victims targeted, and techniques. These were PHOSPHORUS (being the largest), APT42 (aka Yellow Garuda), NemesisKitten, Tortoiseshell (aka TA453), APT35, TA455 (aka Yellow DEV13), and ImperialKitten.
Charming Kitten is infamous for its phishing techniques. It primarily uses spear-phishing emails with different lures in its espionage operations. The group mainly either uses well-known people’s compromised online accounts or impersonates them, or creates fictitious personalities. Additionally, their social engineering tactics are generally sophisticated enough to build trust with potential targets at an early stage. At times, the group has indulged in lengthy conversations with targeted users that can last for several weeks. Once a target gets convinced, the group fools them into clicking on malicious links that lead to a phishing website, such as a fake Google login page. As soon as credentials are entered, the details are captured by the attackers, providing access to the compromised accounts.
Besides, a subgroup of Charming Kitten was discovered exploiting trending vulnerabilities, such as Log4Shell, PaperCut issue, and others. More recently, in May 2023, Iranian threat groups Mint Sandstorm (aka PHOSPHORUS) and Mango Sandstorm were found targeting the CVE-2023-27350 bug in PaperCut MF/NG print management servers.
Meanwhile, a report by Microsoft revealed that Mint Sandstorm weaponized N-day flaws in enterprise apps by leveraging publicly shared POCs. It abused several vulnerabilities, including CVE-2022-47986 (IBM Aspera Faspex), CVE-2022-47966 (Zoho ManageEngine), CVE-2021-44228, and CVE-2021-45046 (Log4Shell) to target the U.S. critical infrastructure from 2021 to mid-2022.
From 2011 till May 2014, Charming Kitten used a dozen of fake personas on social networking sites and ran a wide-spanning cyberespionage operation. It was able to connect to and victimize more than 2,000 individuals across the U.S., the U.K., Saudi Arabia, and Iraq.
In December 2017, a member linked with Charming Kitten was accused of hacking HBO’s digital content. It claimed that if money was not paid, scripts of television episodes of Game of Thrones would be leaked.
In August 2018, an influence campaign targeted the U.S., the U.K., Latin America, and the Middle East. The APT35 group used a network of fake news sites and social media sites to promote anti-Saudi, anti-Israeli, and Pro-Palestine narratives.
In October 2019, the Charming Kitten employed new spear-phishing methods in a campaign targeting a U.S. presidential candidate, government officials, media persons, and prominent expatriate Iranians. Out of 241 targeted accounts, at least four were compromised.
In June 2020, the major U.S. presidential campaigns were targeted by these state-backed hackers. Charming Kitten attempted to target the personnel related to Joe Biden’s election campaign.
In March 2021, the threat group launched a credential phishing campaign, dubbed BadBlood, that was aimed at senior medical professionals specialized in genetic, neurotic, and oncology research in the U.S. and Israel.
In January 2022, the APT35 group leveraged Log4Shell (CVE-2021-44228) vulnerability to drop a PowerShell backdoor identified as GhostEcho (aka CharmPower).
In mid-2022, the threat group deployed Multi-Persona impersonation social engineering tactics to lure the targeted victims. For instance, to target an individual specialized in Middle Eastern affairs, attackers created the fake persona of Aaron Stein, the director of research at the Foreign Policy Research Institute (FPRI), and Richard Wike, director of global attitudes research at Pew Research Center.
In December 2022, the TA453 threat group was observed using a combination of malware, confrontational lures, and compromised accounts to reach a wider set of targets, including politicians, government officials, and researchers.
In April 2023, the Charming Kitten was observed using new malware, called BellaCiao, to target users located in the U.S., Turkey, India, Europe, and the Middle East. For initial intrusion, the group exploited known vulnerabilities in internet-exposed applications, including Exchange Server and Zoho ManageEngine.
Cybercriminals working with Charming Kitten have been employing a range of tools as part of their cyber operations, showcasing their adaptability and utilization of both custom-developed and publicly available resources. These encompassed new backdoors, malware loaders, browser information stealers, keyloggers, and more. Let’s have a look at some key tools used by the group affiliates:
BellaCiao (founded April 2023): It is a personalized dropper capable of delivering other malware payloads onto a victim machine, based on commands received from an actor-controlled server.
GhostEcho aka CharmPower (2021): This is a PowerShell backdoor used to deliver additional spyware to the targeted systems. It can execute additional modules and communicate with a C2 server of an attacker.
Hyperscraper (late 2021): It is a data extraction tool used for stealing emails (such as Gmail, Yahoo, and Outlook). The extraction tool is written in DotNET language and is used to target Windows machines.
PowerLess (February 2022): This is a PowerShell backdoor that supports downloading of additional payloads. These additional payloads include a keylogger and an info stealer used for the different tasks or actions.
LittleLooter (August 2021): It is a custom Android backdoor that comes with information-stealing capabilities, along with abilities to turn on/off Bluetooth, Wifi, and mobile data. It garnered attention due to its unique way of communicating with the C2 via HTTP POST request/response.
StoneDrill (2016): This is a wiper malware similar to the Shamoon2 malware and reuses code from the malware samples from the NewsBeef espionage campaign. It includes wiping modules and several advanced evasion techniques.
MacDownloader (February 2017): The malware steals credentials and other data from Mac computers. It can sniff the credentials from the macOS's built-in password manager called Keychain.
BitLocker: It is a data protection feature for the encryption of disks on systems running Windows. The threat group used setup[.]bat commands to enable BitLocker encryption that leaves hosts useless.
DiskCryptor: It is an open encryption solution that comes with the ability to encrypt all disk partitions, even the system partition. The new releases of DiskCryptor are considered a replacement for BitLocker.
Fast Reverse Proxy (FRP): It’s a tool that allows a user to expose a local server located behind a NAT or firewall to the Internet. With the FRP module, Charming Kitten intercepts the HTTP request and modifies the HTTP header values (e.g. the Host header) and HTTP body (as needed) with a script.
Charming Kitten has several connections and overlaps with various threat groups tracked with different names such as Mint Sandstorm, Cobalt Illusion, TA453, APT42, DEV-0270, ITG18, and Phosphorous.
In 2013, a former U.S. Air Force technical sergeant and a strong suspect Monica E. Witt defected to Iran to avoid criminal charges. Charming Kitten targeted Iran-focused academics, journalists, and human rights activists following Witt's defection, as reported by ClearSky in 2017.
In 2017, a hacker going by the alias Behzad Mesri (aka Sokoote Vahshat) claimed to hack HBO and steal 1.5 TB of data. Later, Vahshat was indicted for the hack.
In February 2019, a federal grand jury in the U.S. indicted Monica Witt on charges of espionage. In the same indictment, four Iranian nationals (Behzad Mesri, Mojtaba Masoumpour, Mohamad Paryar, and Hossein Parvar) were charged with different charges, for running a campaign in 2014 and 2015 that were aimed to compromise the data of former co-workers of Witt.
The Charming Kitten is a sophisticated APT group, and to combat such cyberattacks from its associates, organizations must have an in-depth, robust security strategy in place. This includes taking proactive measures such as educating all employees regarding phishing emails, making sure all security patches are installed, and limiting privileged access to only genuine users.
Conduct proactive threat-hunting exercises using a reliable threat intelligence platform to search for any signs of Charming Kitten activity within your network. The intel platform can be leveraged to take immediate action, such as updating security configurations or mitigating defensive gaps before they are exploited in the wild.
With that said, embracing such a collaborative approach not only facilitates swift information sharing around emerging threats but also enables organizations to implement proactive defense measures - all while reducing the overall response time.
Charming Kitten is continuously adding new tools to its arsenal and coming up with new tactics and techniques. The group’s activity largely reflects on organizations with geopolitical rivalry with the Iranian regime. Further, the group is increasing its interest in cyberespionage against targeted individuals. Therefore, it is very important for at-risk individuals to stay aware of such risks and act with caution when receiving unsolicited communication via email or social media. For staying safe, organizations are suggested to ingest the indicators of compromise (IOCs) provided by different security firms.
**BellaCiao **
**MD5 **
4812449f7fad62162ba8c4179d5d45d7
3fbea74b92f41809f46145f480782ef9
c450477ed9c347c4c3d7474e1f069f14
c6f394847eb3dc2587dc0c0130249337
7df50cb7d4620621c2246535dd3ef10c
e7149c402a37719168fb739c62f25585
284cdf5d2b29369f0b35f3ceb363a3d1
2daa29f965f661405e13b2a10d859b87
f56a6da833289f821dd63f902a360c31
Domain
mail-updateservice[.]info
msn-center[.].uk
msn-service[.]co
twittsupport[.]com
mailupdate[.]info
maill-support[.]com
IP address
88[.]80[.]148[.]162
PowerLess
Domain
subinfralab[.]info
deersharpfork[.]info
blackturtle.hopto[.]org
SHA256
3e1ed006e120a1afaa49f93b4156a992f8d799b1888ca6202c1098862323c308 29318f46476dc0cfd7b928a2861fea1b761496eb5d6a26040e481c3bd655051a 13bab4e32cd6365dba40424d20525cb84b4c6d71d3c5088fe94a6cfe07573e8e 6e842691116c188b823b7692181a428e9255af3516857b9f2eebdeca4638e96e bc8f075c1b3fa54f1d9f4ac622258f3e8a484714521d89aa170246ce04701441 706510916cfc7624ec5d9f9598c95570d48fa8601eecbbae307e0af7618d1460
e5ba06943abb666f69f757fcd591dd1cceb66cad698fb894d9bc8911282198c4 97a615e69c38db9dffda6be7c11dd27547ce4036a4998a1469fa81b548c6f0b0 e5016dfeae584de20a90f1bef073c862028f410d5b0ae4c074a696b8f8528037 5704bc31061c7ca675bb9d56b9b56a175bf949accf6542999b3a7305af485906 4fcde8ec5983cf1465ff7dbcd7d90fcd47d666b0b8352db1dcd311084ed1b3e8 7cc9d887d47f99ca37d2fee6171067df70b4417e96fdb661b9fef697124444cc bdb2a12f2f84c3742240b8b9e1d6638a73c6b8752aff476051fe33a0bb408010 5d216f5625caf92d224200647147d27bb79e1cff6c8a9fbcac63f321f6bbf02b 62d0b8b5d4281ce107c43d36f222680b0cc85844b8973b645095ccdfb128454d
1672a14a3e54a127493a2b8257599c5582204846a78521b139b074155003cba4 0f4d309f0145324a6867108bb04a8d5d292e7939223d6d63f44e21a1ce45ce4e
737cb075ba0b5ed6d8901dcd798eecff0bc8585091bc232c54f92df7f9e9e817 cd813d56cf9f2201a2fa69e77fb9acaaa37e64183c708de64cb5cb7c3035a184 c0de9b90a0ac591147d62864264bf00b6ec17c55f7095fdf58923085fe502400 59a4b11b9fb93e3de7c27c25258cec43de38f86f37d88615687ab8402e4ae51e
Hyperscraper
C2s
136[.]243[.]108[.]14
173[.]209[.]51[.]54
HYPERSCRAPE binaries
03d0e7ad4c12273a42e4c95d854408b98b0cf5ecf5f8c5ce05b24729b6f4e369
35a485972282b7e0e8e3a7a9cbf86ad93856378fd96cc8e230be5099c4b89208
5afc59cd2b39f988733eba427c8cf6e48bd2e9dc3d48a4db550655efe0dca798
6dc0600de00ba6574488472d5c48aa2a7b23a74ff1378d8aee6a93ea0ee7364f
767bd025c8e7d36f64dbd636ce0f29e873d1e3ca415d5ad49053a68918fe89f4
977f0053690684eb509da27d5eec2a560311c084a4a133191ef387e110e8b85f
ac8e59e8abeacf0885b451833726be3e8e2d9c88d21f27b16ebe00f00c1409e6
cd2ba296828660ecd07a36e8931b851dda0802069ed926b3161745aae9aa6daa
Microsoft Live DLL
1a831a79a932edd0398f46336712eff90ebb5164a189ef38c4dacc64ba84fe23
Cobalt Mirage
Domain names
newdesk[.]top
onedriver-srv[.]ml
symantecserver[.]co
microsoft-updateserver[.]cf
msupdate[.]us
service-management[.]tk
aptmirror[.]eu
winstore[.]us
my-logford[.]ml
update[.]us
tcp443[.]org
Email addresses
amirbitminer[@]gmail[.]com
thund3rz[@]protonmail[.]com
IP addresses
107[.]173[.]231[.]114
198[.]12[.]65[.]175
Filename
wininet[.]xml
wininet[.]bat
dllhost[.]exe
pxy[.]rar
pxy[.]zip
SynchronizeTimeZone[.]xml
audio[.]exe
nvContainerRecovery[.]bat
start[.]vbs
wmiexec[.]exe
MD5 hash
5f098b55f94f5a448ca28904a57c0e58
0f8b592126cc2be0e9967d21c40806bc
c8bd04b93ac9b95b712a84f119b31959
b90f05b5e705e0b0cb47f51b985f84db
c64f3293658ed3b3ba1f54c17fe37d18
8493325c9ff1a073d85b768703d594b4
b22b4531dce8a9cb16ecb9e4c17daea3
SHA1 hash
27102b416ef5df186bd8b35190c2a4cc4e2fbf37
3da45558d8098eb41ed7db5115af5a2c61c543af
1bf98c565cbfc4a500fab1d44b0f7c357d87abf6
5bd0690247dc1e446916800af169270f100d089b
5100230b454c33c05d1aef4235898543595ba378
39831dcae48c34dc61741b640f5bbdada97cf66e
7f310ac9423852b7a0af0c898c3404b3b47cbf53
SHA256 hash
668ec78916bab79e707dc99fdecfa10f3c87ee36d4dee6e3502d1f5663a428a0
724d54971c0bba8ff32aeb6044d3b3fd571b13a4c19cada015ea4bcab30cae26
24a73efb6dcc798f1b8a08ccf3fa2263ff61587210fdec1f2b7641f05550fe3b
28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa
e6f4ce982908108759536f5aff21fa6686b8ea8153fdd4cdd087cceff5f1748a
927289ddccbb1de98fe3f8af627296d0d7e9833c8f59e5e423fe283b6792da89
9dce6086c61c23420ac497f306debf32731decc5527231002dbb69523fad3369