Iran-linked Charming Kitten APT contacts targets via WhatsApp, LinkedIn

August 28, 2020  By Pierluigi Paganini


The Iran-linked Charming Kitten APT group leveraged on WhatsApp and LinkedIn to carry out phishing attacks, researchers warn.

Clearsky security researchers revealed that Iran-linked Charming Kitten APT group is using WhatsApp and LinkedIn to conduct spear-phishing attacks.

Iran-linked Charming Kitten group, (aka APT35PhosphorusNewscaster, and Ajax Security Team) made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011 targeting journalists and activists in the Middle East, as well as organizations in the United States, and entities in the U.K., Israel, Iraq, and Saudi Arabia.

Now, security researchers from Clearsky reported details about a new phishing campaign in which the threat actors impersonate journalists from ‘DeutscheWelle’ and the ‘Jewish Journal.’ The state-sponsored hackers are employing both email and WhatsApp to trick victims into clicking on a malicious link.

Experts also observed the attackers using fake LinkedIn profiles to establish a first contact with the victims.

In the past few months, the Charming Kitten cyberespionage group has expanded its target’s list, adding the Baha’i community2 , high-ranking American civil servants and officials (including ambassadors and former employees of the US State Department), and COVID-19 related organizations (such as Gilead3 and WHO4 ). In a recent attack, the hackers targeted Israeli scholars and US government employees.

The hackers used a personalized link for each victim and also attempted to send them a ZIP file.

Below the timeline of the attackers that involved fake profiles from “Deutsche Welle” and “Jewish Journal” in the past three years:

“Clearsky alerted “Deutsche Welle” about the impersonation and the watering hole in their website. A “Deutsche Welle” representative confirmed that the reporter which Charming Kitten impersonated, did not send any emails to the victim nor any other academic researcher in Israel in the past few weeks.” reads the analysis published by the experts. “Note that part of “Deutsche Welle”reporters are originally from Iran – a fact that helps Charming Kitten to hide the accent of their operators during a phone call. It should be noted that this attack vector is unique to Charming Kitten, but it has not the only attack vector that has been used in recent months by this threat actor.”

Experts pointed out that the attackers used a well-developed LinkedIn account in this campaign while they showed willingness to speak to the victim on the phone, over WhatsApp, using a legitimate German phone number.

“This TTP is uncommon and jeopardizes the fake identity of the attackers (unlike emails for example). However, if the attackers have successfully passed the phone call obstacle, they can gain more trust from the victim, compared to an email message.” continues the report.

The Charming Kitten attackers targeted Israeli researchers from Haifa and Tel Aviv Universities asking them to participate in an online webinar/meeting about Iran and other subjects of interest for the target (e.g. recent discourse between Iran and the US).

The Charming Kitten attackers implore the victim to respond repeatedly for ten days, and they are prepared to engage in a direct phone call with them to cajole the victim into “activating their account” with the site “Akademie DW”(used as their phishing page). D

The hackers sent messages to the targets repeatedly for ten days, asking them to availability for a direct phone call, and attempting to lure them into activating their account on the site “Akademie DW” (their phishing page).

“If the victim is not willing to share their personal phone number, the attacker will send him a message from the fake LinkedIn account. This message will contain a promise that the webinar is secured by Google, as they sent to the victim on the tenth day,” Clearsky concludes.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, LinkedIn)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

Elon Musk confirms that Russian hackers tried to recruit Tesla employee to plant a malware

 Elon Musk confirmed that Russian hackers attempted to recruit an employee to install malware into the network of electric...