Ten Years Top: Charming Kitten's Tale of Cybercrime

Overview

Tactics, Techniques, and Procedures (TTPs)

Victimology

• From 2011 till May 2014, Charming Kitten used a dozen of fake personas on social networking sites and ran a wide-spanning cyberespionage operation. It was able to connect to and victimize more than 2,000 individuals across the U.S., the U.K., Saudi Arabia, and Iraq.
• In December 2017, a member linked with Charming Kitten was accused of hacking HBO’s digital content. It claimed that if money was not paid, scripts of television episodes of Game of Thrones would be leaked.
• In August 2018, an influence campaign targeted the U.S., the U.K., Latin America, and the Middle East. The APT35 group used a network of fake news sites and social media sites to promote anti-Saudi, anti-Israeli, and Pro-Palestine narratives.
• In October 2019, the Charming Kitten employed new spear-phishing methods in a campaign targeting a U.S. presidential candidate, government officials, media persons, and prominent expatriate Iranians. Out of 241 targeted accounts, at least four were compromised.
• In June 2020, the major U.S. presidential campaigns were targeted by these state-backed hackers. Charming Kitten attempted to target the personnel related to Joe Biden’s election campaign.
• In March 2021, the threat group launched a credential phishing campaign, dubbed BadBlood, that was aimed at senior medical professionals specialized in genetic, neurotic, and oncology research in the U.S. and Israel.
• In January 2022, the APT35 group leveraged Log4Shell (CVE-2021-44228) vulnerability to drop a PowerShell backdoor identified as GhostEcho (aka CharmPower).
• In mid-2022, the threat group deployed Multi-Persona impersonation social engineering tactics to lure the targeted victims. For instance, to target an individual specialized in Middle Eastern affairs, attackers created the fake persona of Aaron Stein, the director of research at the Foreign Policy Research Institute (FPRI), and Richard Wike, director of global attitudes research at Pew Research Center.
• In December 2022, the TA453 threat group was observed using a combination of malware, confrontational lures, and compromised accounts to reach a wider set of targets, including politicians, government officials, and researchers.
• In April 2023, the Charming Kitten was observed using new malware, called BellaCiao, to target users located in the U.S., Turkey, India, Europe, and the Middle East. For initial intrusion, the group exploited known vulnerabilities in internet-exposed applications, including Exchange Server and Zoho ManageEngine.

Malware and tools

• BellaCiao (founded April 2023): It is a personalized dropper capable of delivering other malware payloads onto a victim machine, based on commands received from an actor-controlled server. 
• GhostEcho aka CharmPower (2021): This is a PowerShell backdoor used to deliver additional spyware to the targeted systems. It can execute additional modules and communicate with a C2 server of an attacker.
• Hyperscraper (late 2021): It is a data extraction tool used for stealing emails (such as Gmail, Yahoo, and Outlook). The extraction tool is written in DotNET language and is used to target Windows machines.
• PowerLess (February 2022): This is a PowerShell backdoor that supports downloading of additional payloads. These additional payloads include a keylogger and an info stealer used for the different tasks or actions.
• LittleLooter (August 2021): It is a custom Android backdoor that comes with information-stealing capabilities, along with abilities to turn on/off Bluetooth, Wifi, and mobile data. It garnered attention due to its unique way of communicating with the C2 via HTTP POST request/response. 
• StoneDrill (2016): This is a wiper malware similar to the Shamoon2 malware and reuses code from the malware samples from the NewsBeef espionage campaign. It includes wiping modules and several advanced evasion techniques.
• MacDownloader (February 2017): The malware steals credentials and other data from Mac computers. It can sniff the credentials from the macOS's built-in password manager called Keychain.

Abuse of Genuine tools:

• BitLocker: It is a data protection feature for the encryption of disks on systems running Windows. The threat group used setup[.]bat commands to enable BitLocker encryption that leaves hosts useless.
• DiskCryptor: It is an open encryption solution that comes with the ability to encrypt all disk partitions, even the system partition. The new releases of DiskCryptor are considered a replacement for BitLocker.
• Fast Reverse Proxy (FRP): It’s a tool that allows a user to expose a local server located behind a NAT or firewall to the Internet. With the FRP module, Charming Kitten intercepts the HTTP request and modifies the HTTP header values (e.g. the Host header) and HTTP body (as needed) with a script. 

Attribution and suspects

• In 2013, a former U.S. Air Force technical sergeant and a strong suspect Monica E. Witt defected to Iran to avoid criminal charges. Charming Kitten targeted Iran-focused academics, journalists, and human rights activists following Witt's defection, as reported by ClearSky in 2017.
• In 2017, a hacker going by the alias Behzad Mesri (aka Sokoote Vahshat) claimed to hack HBO and steal 1.5 TB of data. Later, Vahshat was indicted for the hack. 
• In February 2019, a federal grand jury in the U.S. indicted Monica Witt on charges of espionage. In the same indictment, four Iranian nationals (Behzad Mesri, Mojtaba Masoumpour, Mohamad Paryar, and Hossein Parvar) were charged with different charges, for running a campaign in 2014 and 2015 that were aimed to compromise the data of former co-workers of Witt.

Prevention

Conclusion

Indicators of Compromise