An Iran-linked cyber espionage group known as Charming Kitten, APT35, or Ajax, has employed a new approach to conduct phishing attacks. The threat actor, which is focused on targeting government, defense technology, military, and diplomacy sectors has recently switched to LinkedIn and WhatsApp to infect victims’ devices with malware, ClearSky researchers reveal.
The most recent campaign targeted Israeli scholars (via their institutional email account), and US government employees.
According to the researchers, one of the group’s most common attack vectors is impersonating journalists, particularly those from the German “Deutsche Welle” broadcasting company and the “Jewish Journal” magazine. In the attacks, spotted by ClearSky in July this year, the group updated their TTP (Tactics, Techniques, and Procedures) with a new approach, which involves using emails alongside with WhatsApp messages and fake LinkedIn profiles to lure victims into clicking on a malicious link. The researchers also observed attempts to initiate phone calls between the hackers and the victim.
ClearSky said that the malicious link was embedded in a legitimate, compromised “Deutsche Welle” domain via a watering hole attack.
“Each victim receives a personalized link, tailored to their specific email account. We identified an attempt to send a malicious ZIP file to the victim as well, additional to a message that was sent to the victim via a fake LinkedIn profile. We assess that in some cases, Charming Kitten would try to infect the victim with malware instead of stealing its credentials,” the researchers said.
“In this campaign, we observed a willingness of the attackers to speak on the phone directly with the victim, using WhatsApp calls, and a legitimate German phone number. This TTP is uncommon and jeopardizes the fake identity of the attackers (unlike emails for example). However, if the attackers have successfully passed the phone call obstacle, they can gain more trust from the victim, compared to an email message,” they added.
In the recent Charming Kitten’s campaign victims have been asked to participate in an online webinar/meeting about Iran and other subjects of interest for the target. Posing as journalists, the hackers asked the victim whether they are interested in participating in the webinar. If so, they are requested to reply in order to receive a relevant information such as a full list of other participants, date and time for the webinar, and details regarding the payment for attending the webinar. The attackers sent multiple, repeated messages, until the victim responded.
According to the researchers, the hackers made several attempts to contact Israeli researchers from Haifa and Tel Aviv Universities' email addresses, hosted on a Microsoft email server (Outlook).
In another attack, the threat actor created a fake LinkedIn account for ‘Helen Cooper’, a senior researcher at Hudson Institute and sent email messages that contained either a malicious link or a malicious attachment. The latter is an uncommon tactic for the Charming Kitten group, the researchers noted.