Researchers from Certfa Lab reports have spotted a new cyber espionage campaign carried out by Iran-linked APT group Charming Kitten that has been targeting journalists, political and human rights activists.
Iran-linked Charming Kitten group, (aka APT35, Phosphorus, Newscaster, and Ajax Security Team) made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.
Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011 targeting journalists and activists in the Middle East, as well as organizations in the United States, and entities in the U.K., Israel, Iraq, and Saudi Arabia.
The campaign uncovered by Certfa Lab is related to previously observed targeted attacks against a U.S.
The Iranian hackers are still focusing to target private and government institutions, think tanks and academic institutions, organizations with ties to the Baha’i community, and many others in European countries, the United States, United Kingdom, and Saudi Arabia.
The attackers created a fake account impersonating New York Times journalist Farnaz Fassihi (former Wall Street Journal (WSJ) journalist) to send fake interview proposals or invitations to a webinar to the target individuals and trick them into accessing phishing websites.
The spear-phishing messages use
Then, the attackers send a link to a page containing interview questions that is hosted on Google Sites, a common trick to evade detection.
Once the victims clicked the download button on the Google Site page, they will be redirected to another fake page in two-step-checkup
Attackers employed a backdoor named “pdfreader.exe,” it was first uploaded to VirusTotal by an anonymous user on 3 October 2019. The malware gathers victim device data and achieves persistence through modified Windows Firewall and Registry settings. Experts pointed out that the malware is linked to operators behind past Charming Kitten
“The similarities between the method of managing and sending HTTP requests in “two-step-checkup
The recently discovered phishing attacks by the Charming Kitten are in line with previous activities conducted by the group.
“The Charming Kitten used Google Sites for their phishing attack, and Certfa believes that they work on the development of a series of malware for their future phishing attack campaign.” concludes the report.
(SecurityAffairs – Charming Kitten, APT)