The Iran-linked hacking group known as Charming Kitten recently switched to WhatsApp and LinkedIn to conduct phishing attacks, Clearsky security researchers reveal.
Active since at least 2011, the adversary is also tracked as Ajax Security Team, APT35, ITG18, NewsBeef, Newscaster, and Phosphorus, and was previously observed targeting a U.S. presidential candidate, media organizations, government officials, and prominent expatriate Iranians, using an updated spear phishing technique.
In July, only a couple of months after Google revealed that the Iranian hackers targeted the WHO, the threat actor accidentally leaked 40Gb of data. In early 2020, the hackers were observed posing as journalists in a phishing campaign that targeted at least five individuals around the world.
Now, security firm Clearsky reveals that the adversary continues phishing attacks in which they impersonate journalists, this time from ‘DeutscheWelle’ and the ‘Jewish Journal’, and it employed both email and WhatsApp to approach the target and trick them into clicking on a malicious link. Fake LinkedIn profiles were used to gain victims’ trust.
The most recent campaign targeted Israeli scholars (via their institutional email account), and US government employees. The hackers used a personalized URL, tailored to the victim’s email address, to trick them into accessing the malicious link, and also attempted to send a malicious ZIP file to the victim.
“Clearsky alerted ‘Deutsche Welle’ about the impersonation and the watering hole in their website. A ‘Deutsche Welle’ representative confirmed that the reporter which Charming Kitten impersonated, did not send any emails to the victim nor any other academic researcher in Israel in the past few weeks,” the security firm says.
As part of the campaign, the attackers used a well-developed LinkedIn account in support of their email spear-phishing attacks, and showed willingness to speak to the victim on the phone, over WhatsApp, using a legitimate German phone number.
The hackers approached Israeli researchers from Haifa and Tel Aviv Universities, to ask them to participate in a webinar about Iran and other subjects, nominating the victim as the main speaker in the webinar. The attackers sent multiple, repeated messages, until the victim responded.
The Charming Kitten attackers messaged the victim repeatedly for ten days, claiming they were interested in engaging in a direct phone call, and attempted to lure the victim into “activating their account” on the site “Akademie DW” (their phishing page).
“If the victim is not willing to share their personal phone number, the attacker will send him a message from the fake LinkedIn account. This message will contain a promise that the webinar is secured by Google, as they sent to the victim on the tenth day,” Clearsky says.
In another attack, the hackers created a fake LinkedIn account for ‘Helen Cooper’, a senior researcher at Hudson Institute and sent email messages that contained either a malicious link or a malicious attachment. Sending malicious files via email is uncommon for this threat actor.