By setting up a fake webinar portal, Charming Kitten, an Iranian-born threat actor, has been connected to new attacks aimed at Middle Eastern policy experts known as BASICSTAR.
APT35, CharmingCypress, Mint Sandstorm, TA453, and Yellow Garuda are just a few of the social engineering campaigns that have been orchestrated by charming kitten, which frequently singles out think tanks, non-profit organizations, and journalists.
According to Volexity researchers Ankur Saini, Callum Roxan, Charlie Gardner, and Damien Cash, CharmingCypress frequently uses unusual social engineering strategies, such as engaging targets in protracted email conversations before sending links to malicious content.
Microsoft revealed last month that the enemy has targeted high-profile Middle Eastern affairs experts to spread malware that can collect sensitive data from a compromised host, including MischiefTut and MediaPl ( also known as EYEGLASS).
The organization, which is thought to be connected to Iran’s Islamic Revolutionary Guard Corps ( IRGC), has also dispersed a number of other backdoors over the past year, including PowerLess, BellaCiao, POWERSTAR ( also known as GorjolEcho ), and NokNok, emphasizing its commitment to continuing its cyberattack and adapting its strategies despite being made public.
The Charming Kitten operators pretended to be the Rasanah International Institute for Iranian Studies ( IIIS ) in order to initiate and establish trust with the targets during the phishing attacks that were observed between September and October 2023.
The use of multiple threat-actor-controlled email accounts, the latter of which is known as Multi-Persona Impersonation ( MPI), as well as compromised emails belonging to legitimate contacts are additional characteristics of the phishing attempts.
Malware is typically distributed by attack chains using RAR archives containing LNK files, with messages urging potential victims to sign up for a fictitious webinar on subjects they find interesting. A PowerShell downloader script called BASICSTAR and KORKULOADER was deployed during one of these multi-stage infection sequences.
Visual Basic Script (VBS ) malware known as BASICSTAR has the ability to remotely execute commands relayed from a command-and-control ( C2 ) server, download and display fake PDF files, and collect basic system information.
Additionally, depending on the operating system of the machine, some of these phishing attacks are designed to target various backdoors. While POWERLESS compromises Windows users, an infection chain that leads to NokNok via a useful malware-infected VPN application targets Apple macOS users.
According to the researchers,” this threat actor is very committed to keeping an eye on their targets to figure out how to manipulate them and spread malware.” Few other threat actors have consistently produced as many campaigns with human operators at their disposal as CharmingCypress.
Recorded Future revealed that IRGC used a network of contracting firms that also specialize in exporting technologies to nations like Iraq, Syria, and Lebanon for surveillance and offensive purposes to target Western nations.
The relationship between Iran-based contractors and intelligence and military organizations is represented by a number of cyber centers that serve as “firewalls” to hide the sponsoring party.
Ayandeh Sazan Sepher Aria ( rumored to be connected to Emennet Pasargad ), DSP Research Institute, Sabrin Kish, Sorousha Saman, Mahak Rayan Afraz, and Parnian Telecommunication and Electronic Company are a few of them.
According to the company,” Iran contracting companies are founded and managed by a close-knit network of personas, some of whom serve as the contractors ‘ board members.” ” The people have a close relationship with the IRGC and, in some cases, even serve as sanctioned organizations ‘ representatives,” according to the article.