Iranian Cyberspy Group Launching Ransomware Attacks Against US

Over the past several months, Iran-linked cyberespionage group Charming Kitten has been engaging in financially-motivated activities, the Secureworks Counter Threat Unit (CTU) reports.

Also referred to as APT35, Magic Hound, NewsBeef, Newscaster, Phosphorus, and TA453, the advanced persistent threat (APT) actor is known for the targeting of activists, government organizations, journalists, and various other entities.

In November 2021, a joint advisory from government agencies in the US, UK, and Australia warned of Iranian state-sponsored attacks targeting critical infrastructure and other organizations through the exploitation of Fortinet FortiOS vulnerabilities and a Microsoft Exchange ProxyShell bug.

In a report in December 2021, Microsoft noted that Charming Kitten was showing high interest in acquiring exploits targeting the Log4j vulnerability, to modify and use them in new attacks. In January 2022, the APT was observed using a new PowerShell backdoor.

Secureworks, which tracks the cyberespionage group as Cobalt Mirage, reported today that the group appears to have turned to financially-motivated attacks, including the deployment of ransomware.

The researchers note that, in January 2022, the threat actor leveraged previously obtained access to infiltrate the network of a philanthropic organization in the US, where they deployed a web shell that was later used to drop additional files.

Named Dllhost.exe, one of these files is a Go binary that appears to be in part based on the Fast Reverse Proxy (FRP) code available on GitHub. When executed on a compromised Exchange server, dllhost.exe collects system information and sets up a communication tunnel with the command and control (C&C) server.

Next, the attackers conducted a Local Security Authority Server Service (LSASS) dump to hunt for user credentials. Three days later, they used Remote Desktop Protocol (RDP) to log onto the Exchange server, likely a hands-on-keyboard operation.

After enumerating the environment, the threat actor moved laterally and then “encrypted three user workstations with BitLocker, rendering them inaccessible to the compromised organization’s staff,” Secureworks says.

The attackers then sent a ransom note to a local printer, instructing the victim to make contact over email or Telegram to receive information on decryption and recovery.

“This approach suggests a small operation that relies on manual processes to map victims to the encryption keys used to lock their data. As of this publication, CTU researchers are not aware of a Cobalt Mirage leak site. The victimology of the Cobalt Mirage attacks suggests that these threat actors are focused on financial gain.” Secureworks says.

In March 2022, the same threat actor was observed compromising the network of a local US government, but no ransomware was deployed. Instead, the group focused on harvesting data and exfiltrating it using free online services.

“After the March 2022 intrusion was detected and disrupted, no additional malicious activity was observed. CTU researchers have not directly observed ransomware attacks linked to [the activity], but there is evidence that those threat actors may be experimenting with ransomware,” Secureworks notes.

The security researchers assess that, while the group has managed to compromise a large number of targets worldwide, “their ability to capitalize on that access for financial gain or intelligence collection appears limited.” However, the use of publicly available tools for ransomware operations shows that the group remains an ongoing threat, Secureworks concludes.

Related: US, UK Warn of Iranian Cyberattacks on Government, Commercial Networks

Related: Newly Detected “StrifeWater” RAT Linked to Iranian APT

Related: Iran-Linked Hackers Expand Arsenal With New Android Backdoor