Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Phishing

Iranian Hackers Target Journalists in New Phishing Campaign

The Iran-linked threat group know as “Charming Kitten” has been targeting journalists, political and human rights activists in a new campaign aimed at stealing email account credentials, Certfa Lab reports.

The Iran-linked threat group know as “Charming Kitten” has been targeting journalists, political and human rights activists in a new campaign aimed at stealing email account credentials, Certfa Lab reports.

Also known as APT35, Ajax Security Team, NewsBeef, Newscaster, and Phosphorus, the adversary has been active since at least 2011, targeting journalists and activists in the Middle East, as well as organizations in the United States, and entities in the U.K., Israel, Iraq, and Saudi Arabia.

The newly detailed phishing attack, Certfa Lab says, is related to previously observed activity targeting a U.S. presidential candidate, government officials, media targets, and prominent expatriate Iranians, where the hackers employed an updated spear phishing technique.  

Charming Kitten’s new activity indicates that the hacking group continues to target private and government institutions, think tanks, academics, organizations with ties to the Baha’i community, and others from Europe, the United States, and Saudi Arabia, Certfa Lab noted in a blog post.

As part of the campaign, the threat actor created a fake account impersonating New York Times journalist Farnaz Fassihi (former Wall Street Journal (WSJ) journalist), to send fake interview invitations to victims and trick them into accessing phishing websites. 

The phishing emails contained shortened URLs in the footnotes (social media links, WSJ and Dow Jones websites), which allow hackers to guide victims to legitimate sites while gathering basic information on their devices (IP address, operating system, and browser). 

Next, the attackers send a link to a file containing interview questions, which is hosted on Google Sites, to avoid raising suspicion and evade the spam detections. From the Google Site page, the victim is then taken to a phishing page at two-step-checkup[.]site, where they are asked for login credentials, including two factor authentication (2FA) codes. 

In these attacks, the threat actor also used pdfReader.exe, an unsophisticated backdoor that achieves persistence through modified Windows Firewall and Registry settings. Designed to gather victim device data, the malware shows a close relation between its developer and the campaign’s operators. 

Advertisement. Scroll to continue reading.

Analysis of the phishing websites used in these attacks reveal the use of servers previously associated with other Charming Kitten phishing attacks. The method of managing and sending HTTP requests is further evidence that Charming Kitten is behind the operation. 

“This new series of phishing attacks by the Charming Kitten are in line with previous activities seen from their group. For example, we identified similar settings for the servers used in this attack with their previous campaigns. The Charming Kitten used Google Sites for their phishing attack, and Certfa believes that they work on the development of a series of malware for their future phishing attack campaign,” the security company added.

The attacks appear to have started on November 1, 2019, Certfa Lab founder Amin Sabeti told SecurityWeek via email. The campaign has been active ever since and attacks are ongoing, with new infrastructure and different identities or scenarios observed, he said.

Sabeti also confirmed that at least five individuals were targeted in these phishing attempts, but added that there might be more than 20 intended victims.

Sabeti says that, while there have been no exact geographical patterns for the targets, they are spread all around the world. Certfa Lab has been tracking other attacks as well and is determined to share additional details on the campaign pending the completion of their investigation.

Related: Iranian Hackers Update Spear-Phishing Techniques in Recent Campaign

Related: Iran-Linked Malware Shared by USCYBERCOM First Seen in December 2016

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Phishing

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...

Cybercrime

Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Phishing

The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Cybercrime

A threat actor tracked as ‘Scattered Spider’ is targeting telecommunications and business process outsourcing (BPO) companies in an effort to gain access to mobile...

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...