Skip to main content

Charming Kitten Returns with WhatsApp, LinkedIn Effort

 

Charming Kitten Returns with WhatsApp, LinkedIn Effort

charming kitten iran apt

The Iran-linked APT is targeting Israeli scholars and U.S. government employees in a credential-stealing effort.

The Iran-affiliated APT known as Charming Kitten is back with a new approach, impersonating Persian-speaking journalists via WhatsApp and LinkedIn, in order to con victims into opening malicious links. The targets are Israeli scholars from Haifa and Tel Aviv universities, and U.S. government employees, researchers said.

According to an analysis from Clearsky, the latest gambit was first spotted in July. The attackers have been pretending to be known writers for the Deutsche Welle and/or Jewish Journal outlets, and approach targets via email, and WhatsApp messages and calls. To lend verisimilitude to their impersonations, the cybercriminals also set up fake LinkedIn profiles corresponding to the journalists’ names, and have been sending out LinkedIn messages to corner victims as well. The end game is to convince a target to click on a malicious link, which takes users to a phishing page to steal credentials.

“The malicious link is embedded in a legitimate, compromised Deutsche Welle domain, with waterhole methods,” according to a writeup from Clearsky, issued last week. “Each victim receives a personalized link, tailored to their specific email account. We identified an attempt to send a malicious ZIP file to the victim as well, additional to a message that was sent to the victim via a fake LinkedIn profile.”

This approach is a marked departure from Charming Kitten’s usual M.O., which tends to rely on emails and SMS.

“These two platforms enable the attacker to reach the victim easily, spending minimum time in creating the fictitious social-media profile,” according to Clearsky. “However, in this campaign Charming Kitten has used a reliable, well-developed LinkedIn account to support their email spear-phishing attacks…[we also] observed a willingness of the attackers to speak on the phone directly with the victim, using WhatsApp calls, and a legitimate German phone number. This [tactic, technique and procedure] (TTP) is uncommon and jeopardizes the fake identity of the attackers.”

A fake LinkedIn page.

To get around the potential language issue, Charming Kitten generally chooses to impersonate Persian- or Farsi-speaking journalists, to neutralize detection through accent while having the phone call. Clearsky researchers pointed out that a cadre of Deutsche Welle reporters, for instance, are actually originally from Iran.

Highly Targeted

The most recent campaign had a few different prongs, but email was the initial attack vector across the board.

According to the analysis, some emails impersonated an Iranian Deutsche Welle journalist that speaks fluent Farsi with a local accent. Others impersonated an Israeli scholar from Tel Aviv University, with emails inviting targets to an alleged Zoom meeting in Hebrew. Yet others impersonated a reporter from Jewish Journal asking the target to join a webinar on “citizenship and freedom of girls and women in Iran and it’s future.”

In all cases, the attackers attempt to get a conversation going in order to establish trust. For instance, in the case of the Jewish Journal webinar, the attackers tried to entice the victim with nominating them as its main speaker, “chosen from more than a hundred participants.”

After these conversations with the target, the attacker requests that they switch to WhatsApp for further conversation, according to the analysis – attempting to engage the target via multiple messages for up to 10 days.

“Charming Kitten sent multiple and repeating messages, sometimes in very short time, until the target responded,” researchers wrote. “The messages were sent from a German number (prefix +49) to create a sense of credibility, and the WhatsApp account bears the image of the journalist being impersonated.” If the victim is not willing to share a personal phone number, the attackers will send the person a message from the fake LinkedIn accounts.

These second-stage messages contain malicious links that purport to lead to registration for various online calls or events.  The link will take users to a page where they can “activate their accounts” by signing up on the site “Akademie DW” (which is actually just a  phishing page). The malicious link pointing to this page was most recently hosted on a Deutsche Welle legitimate domain (dw[.]de), the researchers said.

“Each victim receives a personalized link for their own email address – the word ‘?id=’ followed by the word ‘SSH’ and three sets of five letters and numbers, “according to the researchers. On the phishing page, “If the victim enters their correct password, they are sent to a two-factor authentication (2FA) page,” said the researchers. “A wrong password produces an error message. The attackers will then pressure the victim to try again using their university email.”

The attackers also offer to engage in a direct phone call with the targets to help them with the process.

A timeline of Charming Kitten activity.

Charming Kitten, a.k.a. APT35 or Ajax, has been active since 2014. It’s known for politically motivated and socially engineered attacks, and often uses phishing as an attack vector. Its primary targets are Iranian academia experts, human-rights activists, journalists, the Baha’I community, ambassadors and former employees of the U.S. State Department, and COVID-19-related organizations such as Gilead and the World Health Organization.

The group was also recently seen trying to hack into email accounts tied to the Trump 2020 re-election campaign, ramping up those efforts with new spearphishing tactics. This is also only the latest campaign where the group has impersonated journalists. In February, the group purported to be from the Wall Street Journal, and was seen emailing a victim to ask for an interview in an effort to gain trust.

Comments

Post a Comment

Popular posts from this blog

How to secure PayPal

How to secure PayPal By- Aarti Jatan Your online finances need proper protection. Learn how to secure your PayPal account. With hundreds of millions of users around the world, PayPal has long been an international leader in the electronic payments industry. But as we know, money never fails to attract fraud, especially now, with as much of life as possible taking place online. Here is what you need to do to stay safe when sending or receiving money through PayPal. How secure is PayPal? As a matter of fact, PayPal is quite a reliable platform that maintains a high level of security — and keeps improving it. Thus, the company has an official program deploying white hat hackers to unearth vulnerabilities (the so-called bug bounty), under which it has already paid out almost $4 million since 2018. The program also covers several other services owned by PayPal, such as Venmo. PayPal also treats its users’ data responsibly: It did have one reliably reported leak, in 2017, but the leak invol...
Post a Comment
Read more

A DEEP DIVE INTO THE OFFICIAL DOCKER IMAGE FOR PYTHON

  A DEEP DIVE INTO THE OFFICIAL DOCKER IMAGE FOR PYTHON The official Python image for Docker is quite popular, and in fact I recommend one of its variations as a base image . But many people don’t quite understand what it does, which can lead to confusion and brokenness. In this post I will therefore go over how it’s constructed, why it’s useful, how to use it correctly, as well as its limitations. In particular, I’ll be reading through the python:3.8-slim-buster variant, as of August 19, 2020 , and explaining it as I go along. Reading the Dockerfile The base image We start with the base image: FROM debian:buster-slim That is, the base image is Debian GNU/Linux 10, the current stable release of the Debian distribution, also known as Buster because Debian names all their releases after characters from Toy Story. In case you’re wondering, Buster is Andy’s pet dog . So to begin with, this is a Linux distribution that guarantees stability over time, while providing bug fixes. The slim...
Post a Comment
Read more

Five regular checks for SMBs

Five regular checks for SMBs By- Aarti Jatan Five things that, if neglected, can cost SMBs dearly. It is not always economically viable for small and medium-size businesses to maintain a dedicated IT security team, so it often happens that one person is in charge of monitoring the entire infrastructure. Sometimes he or she is not even a permanent, full-time employee. Sure, a good administrator can do a lot, but even a pro might miss something, particularly if issues are mounting and time is short. So, it’s worth establishing a few habits. Here are our Top 5 regular checks. Renew the corporate site security certificate Any website that requests or processes user data must have an SSL certificate. It protects information entered by visitors from being intercepted, and almost all modern browsers  warn  users that sites without an SSL certificate are insecure. That can scare off potential customers. Your website most likely has an SSL certificate, but its validity period is limite...
Post a Comment
Read more