A range of political and civil society targets are under fire in an APT attack dubbed the Return of Charming Kitten. The campaign has been tailored to get around two-factor authentication in order to compromise email accounts and start monitoring communications.
According to researchers at Certfa, Iranian state-backed hackers have mounted a spear-phishing campaign aimed at infiltrating the email accounts of politicians involved in economic and military sanctions against Iran, along with various journalists and human rights activists.
The attackers are compromising targets through email, social media and messaging communications, researchers said, with the goal of ongoing surveillance, according to Certfa. The main tactic is sending fake alerts from legitimate-sounding email addresses such as notifications.mailservices@gmail[.]com, noreply.customermails@gmail[.]com, customer]email-delivery[.]info, claiming that unauthorized individuals have tried to access their accounts and urging the targets to “log in” to “immediately review and restrict suspicious accesses.”
The attackers are using Google Site3 to create the phishing page, researchers said, which allows the hackers to show a fake (but very convincing) Google Drive page, which even has google.com in the address bar of their browsers.
“By creating websites with the same design and look of Google Drive file sharing page, hackers pretend to be sharing a file with the user, which they should download and run it on their devices,” researchers said in a posting last week. “They use hacked Twitter, Facebook and Telegram accounts to send these links and target new users. The truth is there is not any file and the hackers use this page to direct their targets to the fake Google login page.”
Thwarting Two-Factor Authentication
On the fake page, users are asked to enter their credential details, which the attackers verify in real time. A separate hidden tracking image is embedded in the body of the phishing emails that is used to notify the attackers when their targets open the email.
“This trick helps the hackers to act immediately after the target opens the email and clicks on the phishing link,” Certfa researchers explained. including two-factor authentication.”
As the victim enters his or her user name and password into the fake log-in page, the attackers enter those same credentials into a real login page. If the accounts are protected by two-factor authentication, the attackers redirect targets to a new page where they can enter the one-time password.
“In other words, they check victims’ usernames and passwords in real time on their own servers, and even if two-,factor authentication such as text message, authenticator app or one-tap login are enabled they can trick targets and steal that information too,” Certfa Lab researchers said.
This is not a one-size-fits-all campaign, and the attackers are employing advanced social-engineering techniques to improve their success rate.
“The hackers have collected information on their targets prior to the phishing attack,” researchers explained. “The hackers design specific plans for each target based on the level of targets’ cyber-knowledge, their contacts, activities, working time and their geographic situation.”
Interestingly, the hackers use an image, instead of text, in the body of their phishing emails, to bypass Google’s security and anti-phishing system.
Once in possession of the target’s credentials, the hackers monitor the victims’ communications via their email in real time. They also don’t change the passwords of their victims’ accounts, in an effort to remain undetected.
Iranian APT Attribution
The campaign was first detected in early October 2018, targeting a U.S. financial institution before widening its net to political and civil society targets. The investigation into that incident uncovered that the campaign was associated with a domain that has been linked before to a group of hackers dubbed Charming Kitten by ClearSky Cyber Security, who researchers believe are supported by the Iranian government, with close ties with the Islamic Revolutionary Guard Corps (IRGC).
According to a December 2017 ClearSky report, Charming Kitten has been operating since approximately 2014, which has built a “vast espionage apparatus” consisting of at least 85 IP addresses, 240 malicious domains, hundreds of hosts and multiple fake entities. The group is capable of company impersonation, spear phishing and watering-hole attacks. They also employ a range of custom malware (and seem to share resources at times with other Iranian APT groups, such as APT33). Over the years, thousands of individuals have been targeted.
Aside from the domain found in the October campaign, other aspects pointing the Certfa team to the Charming Kitten attribution include the timing and targeting of the attacks.
“Phishing attacks are the most popular method of stealing data and hacking account amongst Iranian hackers, but the most significant fact about this campaign is its timing,” the researchers said. “This campaign launched weeks before 4 November 2018, which is when the U.S. imposed new sanctions on Iran.”
Also, the campaign is bent on infiltrating the accounts of non-Iranian political figures and authorities who work on economic and military sanctions against Iran.
“Hackers who are supported by the Iranian government pick their targets according to policies and international interests for the Iranian government and also where Iran wants to have impact indirectly,” said the research team.