Iran-linked Charming Kitten APT contacts targets via WhatsApp, LinkedIn

Pierluigi Paganini August 28, 2020

The Iran-linked Charming Kitten APT group leveraged on WhatsApp and LinkedIn to carry out phishing attacks, researchers warn.

Clearsky security researchers revealed that Iran-linked Charming Kitten APT group is using WhatsApp and LinkedIn to conduct spear-phishing attacks.

Iran-linked Charming Kitten group, (aka APT35PhosphorusNewscaster, and Ajax Security Team) made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011 targeting journalists and activists in the Middle East, as well as organizations in the United States, and entities in the U.K., Israel, Iraq, and Saudi Arabia.

Now, security researchers from Clearsky reported details about a new phishing campaign in which the threat actors impersonate journalists from ‘DeutscheWelle’ and the ‘Jewish Journal.’ The state-sponsored hackers are employing both email and WhatsApp to trick victims into clicking on a malicious link.

Experts also observed the attackers using fake LinkedIn profiles to establish a first contact with the victims.

In the past few months, the Charming Kitten cyberespionage group has expanded its target’s list, adding the Baha’i community2 , high-ranking American civil servants and officials (including ambassadors and former employees of the US State Department), and COVID-19 related organizations (such as Gilead3 and WHO4 ). In a recent attack, the hackers targeted Israeli scholars and US government employees.

The hackers used a personalized link for each victim and also attempted to send them a ZIP file.

Below the timeline of the attackers that involved fake profiles from “Deutsche Welle” and “Jewish Journal” in the past three years:

“Clearsky alerted “Deutsche Welle” about the impersonation and the watering hole in their website. A “Deutsche Welle” representative confirmed that the reporter which Charming Kitten impersonated, did not send any emails to the victim nor any other academic researcher in Israel in the past few weeks.” reads the analysis published by the experts. “Note that part of “Deutsche Welle”reporters are originally from Iran – a fact that helps Charming Kitten to hide the accent of their operators during a phone call. It should be noted that this attack vector is unique to Charming Kitten, but it has not the only attack vector that has been used in recent months by this threat actor.”

Experts pointed out that the attackers used a well-developed LinkedIn account in this campaign while they showed willingness to speak to the victim on the phone, over WhatsApp, using a legitimate German phone number.

“This TTP is uncommon and jeopardizes the fake identity of the attackers (unlike emails for example). However, if the attackers have successfully passed the phone call obstacle, they can gain more trust from the victim, compared to an email message.” continues the report.

The Charming Kitten attackers targeted Israeli researchers from Haifa and Tel Aviv Universities asking them to participate in an online webinar/meeting about Iran and other subjects of interest for the target (e.g. recent discourse between Iran and the US).

The Charming Kitten attackers implore the victim to respond repeatedly for ten days, and they are prepared to engage in a direct phone call with them to cajole the victim into “activating their account” with the site “Akademie DW”(used as their phishing page). D

The hackers sent messages to the targets repeatedly for ten days, asking them to availability for a direct phone call, and attempting to lure them into activating their account on the site “Akademie DW” (their phishing page).

“If the victim is not willing to share their personal phone number, the attacker will send him a message from the fake LinkedIn account. This message will contain a promise that the webinar is secured by Google, as they sent to the victim on the tenth day,” Clearsky concludes.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, LinkedIn)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment