The Iran-linked APT is targeting Israeli scholars & US Govt. employees in a credential-stealing effort.
The APT, known as Charming Kitten is now back with a new approach, impersonating Persian-speaking journalists via WhatsApp & LinkedIn, so as to con victims into opening malicious links. The targets are Israeli scholars from Haifa & Tel Aviv universities, & US Govt. employees, researchers suggested.
Says an analysis from Clearsky, the latest play was first observed in July. The attackers have been pretending to be known writers for the Deutsche Welle and/or Jewish Journal outlets, & approach targets via email, & WhatsApp messages & calls.
To add credibility to their impersonations, the cyber-criminals also set up fake LinkedIn profiles corresponding to the journalists’ names & have been sending out LinkedIn messages to trap victims too.
The aim is to convince the target to click on a malicious link, which takes users to a phishing page in order to steal credentials.
“The malicious link is embedded in a legitimate, compromised Deutsche Welle domain, with waterhole methods,” according to a writeup from Clearsky, issued last week.
“Each victim receives a personalised link, tailored to their specific email account. We identified an attempt to send a malicious ZIP file to the victim as well, additional to a message that was sent to the victim via a fake LinkedIn profile.”
This approach is a change from Charming Kitten’s usual methods, which tend to be emails & SMS.
“These 2 platforms enable the attacker to reach the victim easily, spending minimum time in creating the fictitious social-media profile,” says Clearsky. “However, in this campaign Charming Kitten has used a reliable, well-developed LinkedIn account to support their email spear-phishing attacks.
We also observed a willingness of the attackers to speak on the phone directly with the victim, using WhatsApp calls, & a legitimate German phone number. This tactic, technique & procedure (TTP) is uncommon & jeopardises the fake identity of the attackers.”
A fake LinkedIn page
To avoid possible language issues, Charming Kitten generally chooses to impersonate Persian (Farsi)-speaking journalists, to reduce detection through accent during the phone call. Clearsky researchers pointed out that quite a lot of Deutsche Welle reporters, for instance, are actually originally from Iran.
The recent campaign had a few different aspects, but email was the initial attack weapon.
Some emails impersonated an Iranian Deutsche Welle journalist that speaks fluent Farsi with a local accent.
Others impersonated an Israeli scholar from Tel Aviv University, with emails asking targets to a supposed Zoom meeting in Ivrit (Modern Hebrew). Yet others impersonated a reporter from the Jewish Journal asking the target to join a webinar on “citizenship & freedom of girls & women in Iran & it’s future.”
In all cases, the attackers attempt to get a conversation underway in order to create trust. For the ‘Jewish Journal webinar’, the attackers tried to tempt the victim by nominating them as its main speaker, “chosen from more than 100 participants.”
After conversations with the target, the attacker requests that they switch to WhatsApp for other conversation, says the analysis, & attempt to engage the target via multiple messages for up to 10 days.
“Charming Kitten sent multiple and repeating messages, sometimes in very short time, until the target responded,” researchers wrote. “The messages were sent from a German number (prefix +49) to create a sense of credibility, & the WhatsApp account bears the image of the journalist being impersonated.” If the victim is not willing to share a personal phone number, the attackers will send the person a message from the fake LinkedIn accounts.
These 2nd-stage messages contain malicious links that purport to lead to registration for various online calls or events.
The link will take users to a page where they can “activate their accounts” by signing up on the site “Akademie DW” (which is actually a phishing page). The malicious link pointing to this page was recently hosted on a Deutsche Welle legitimate domain (dw[.]de), the researchers observed.
“Each victim receives a personalised link for their own email address – the word ‘?id=’ followed by the word ‘SSH’ & 3 sets of letters & numbers, “according to the researchers.
On the phishing page, “If the victim enters their correct password, they are sent to a 2-factor authentication (2FA) page,” commented the researchers. “A wrong password produces an error message. The attackers will then pressure the victim to try again using their university email.”
The attackers also offer a direct phone call with the targets to help them with the process.
A Charming Kitten timeline
Charming Kitten, a.k.a. APT35 or Ajax, has been around since 2014. It is known for politically motivated & socially engineered attacks, & often uses phishing as an attack method.
Its primary targets are Iranian academia experts, human-rights activists, journalists, the Baha’I community, ambassadors & ex-employees of the US State Department, & COVID-19-related organisations such as Gilead & the World Health Organization.
This is also only the latest campaign where the group has impersonated journalists. In Feb., the group pretended to be from the Wall Street Journal, & was seen emailing a target to ask for an interview in an attempt to gain trust.