Iranian Hackers Target Journalists in New Phishing Campaign

The Iran-linked threat group know as “Charming Kitten” has been targeting journalists, political and human rights activists in a new campaign aimed at stealing email account credentials, Certfa Lab reports.

Also known as APT35, Ajax Security Team, NewsBeef, Newscaster, and Phosphorus, the adversary has been active since at least 2011, targeting journalists and activists in the Middle East, as well as organizations in the United States, and entities in the U.K., Israel, Iraq, and Saudi Arabia.

The newly detailed phishing attack, Certfa Lab says, is related to previously observed activity targeting a U.S. presidential candidate, government officials, media targets, and prominent expatriate Iranians, where the hackers employed an updated spear phishing technique.  

Charming Kitten’s new activity indicates that the hacking group continues to target private and government institutions, think tanks, academics, organizations with ties to the Baha’i community, and others from Europe, the United States, and Saudi Arabia, Certfa Lab noted in a blog post.

As part of the campaign, the threat actor created a fake account impersonating New York Times journalist Farnaz Fassihi (former Wall Street Journal (WSJ) journalist), to send fake interview invitations to victims and trick them into accessing phishing websites. 

The phishing emails contained shortened URLs in the footnotes (social media links, WSJ and Dow Jones websites), which allow hackers to guide victims to legitimate sites while gathering basic information on their devices (IP address, operating system, and browser). 

Next, the attackers send a link to a file containing interview questions, which is hosted on Google Sites, to avoid raising suspicion and evade the spam detections. From the Google Site page, the victim is then taken to a phishing page at two-step-checkup[.]site, where they are asked for login credentials, including two factor authentication (2FA) codes. 

In these attacks, the threat actor also used pdfReader.exe, an unsophisticated backdoor that achieves persistence through modified Windows Firewall and Registry settings. Designed to gather victim device data, the malware shows a close relation between its developer and the campaign’s operators. 

Analysis of the phishing websites used in these attacks reveal the use of servers previously associated with other Charming Kitten phishing attacks. The method of managing and sending HTTP requests is further evidence that Charming Kitten is behind the operation. 

“This new series of phishing attacks by the Charming Kitten are in line with previous activities seen from their group. For example, we identified similar settings for the servers used in this attack with their previous campaigns. The Charming Kitten used Google Sites for their phishing attack, and Certfa believes that they work on the development of a series of malware for their future phishing attack campaign,” the security company added.

The attacks appear to have started on November 1, 2019, Certfa Lab founder Amin Sabeti told SecurityWeek via email. The campaign has been active ever since and attacks are ongoing, with new infrastructure and different identities or scenarios observed, he said.

Sabeti also confirmed that at least five individuals were targeted in these phishing attempts, but added that there might be more than 20 intended victims.

Sabeti says that, while there have been no exact geographical patterns for the targets, they are spread all around the world. Certfa Lab has been tracking other attacks as well and is determined to share additional details on the campaign pending the completion of their investigation.

Related: Iranian Hackers Update Spear-Phishing Techniques in Recent Campaign

Related: Iran-Linked Malware Shared by USCYBERCOM First Seen in December 2016