Contents:
Charming Kitten, an Advanced Persistent Threat (APT) group believed to be Iran-based, is operational again and looking to get sensitive information as it impersonates U.K. academics focused on Middle Eastern affairs.
It is believed that the spear-phishing campaign began around January this year.
According to researchers at Proofpoint, this is one of the most sophisticated campaigns conducted by the ever-evolving APT Charming Kitten, also known as TA453, APT35, Ajax Security Team, NewsBeef, Newscaster, and Phosphorus.
The current operation includes impersonating British scholars working with the University of London’s School of Oriental and African Studies while engaging in conversations with victims and linking to the website of a legitimate, world-class, already compromised academic institution in order to collect credentials.
The security company had named the campaign Operation SpoofedScholars and has associated it with the Iranian government, with the purpose of what specialists think is cyber espionage.
The Proofpoint notes the TA453 cybercriminals engaged their victims in long email discussions using the hijacked professor’s name and a compromised email address.
When the threat actor saw the victim was interested in attending the online event, it set the hook by presenting the target with access to a fake registration page.
As per Proofpoint, cybercriminals use the names of individuals associated with the school to lend validity to their fraud and to help ask for conversations with targets.
This is a limited, “highly selective” campaign that, according to Proofpoint telemetry, is targeting fewer than 10 organizations.
These groupings consistently have information of interest to the Iranian government, including, but not limited to, information about foreign policy, insights into Iranian dissident movements and understanding of U.S. nuclear negotiations, and most of the identified targets have been previously targeted by TA453.
Charming Kitten APT Lured Its Victims With An Online Conference
The phishing campaign tried to tempt scholars to an online conference on “The US Security Challenges in the Middle East.”
During the investigation, the security firm witnessed the threat actors rapidly changed strategies as they realized some processes were not working to fool their targets.
In many cases, if a victim shows interest in the conference, the hacker confirms the time when the target wants to register and then sends the registration page link.
The researchers note the timing is vital because the APT threat actors have to be online at the same time to swipe the information.
As the report shows, the link leads to the “webinar control panel” at the University of London’s School of Oriental and African Studies, located on the compromised oasradio[.]org website.
The APT tries to uplift the login process credibility by letting the victim choose from several familiar login methods, including Google, Yahoo, Microsoft, iCloud, Outlook, AOL, mail.ru, Email, and Facebook credentials.
When a particular provider is clicked, a pop-up box displays the actual credential phishing box. Based on the variety of email providers along with TA453’s insistence that the target log on when TA453 was online, Proofpoint assesses that TA453 was planning on immediately validating the captured credentials manually.
Charming Kitten APT Track Record
The hacking group has a history of employing authentic online tools and websites to trick its victims into revealing information.
According to GovInfoSecurity, last year, the gang implemented a phishing campaign that used SMS and email messages to spread malicious links in an attempt to steal email credentials in the U.S., Europe, and the Persian Gulf region.
The victims were people working for think tanks and political research centers, university academics, journalists, and environmental activists.
In July 2020, they started a campaign that used LinkedIn and WhatsApp messages to reach U.S. government employees and Israeli academics to build trust and convince them to visit a phishing page.