After few months working under the radar, cybersecurity experts again have unraveled the repurposed modus of the Iranian APT group dubbed as Charming Kitten. Their main targets are usually to perform cyber espionage to victims from the United States, Israel, and other countries who typically are prominent people from being an activist, entrepreneurs, government, and military officials. Known since 2017, the current group activities have been exposed to impersonating journalists again from prominent news personnel from ‘Deutsche Welle’ and the ‘Jewish Journal.’ With a more brute approach with the victim, now they incorporated the use of the social media platform such as LinkedIn and WhatsApp to deliver their malware onto the targeted individual going to its company network.
According to the malware analysis report, the adversaries are initially sending email invites impersonating high profile personnel from the Deutsche Welle and/or the Jewish Journal. A sample of the intercepted evidence shows that the adversaries are reaching out to their target victim, offering to be a speaker to an upcoming talk event sponsored by the news company. Once received correspondence through email from the victim, they will insinuate further communication through WhatsApp, if not possible, through fake LinkedIn profiles wherein they will send the invite link or pertinent documents about the sponsored event. Unknowingly to the victim, the link or the documents contains the malware that could extract device information such as contacts, emails, messages, credentials, and apps information since it is now compromised. Then from a single infection and will lead its way to the company network infrastructure. Some extent of the brute force attack that has been observed is the Charming Kitten group tried to call their victim using a German number to add more legitimacy to their activities with the use of a neutral middle east accent to be more convincing.
The type of social engineering method using social media platforms is now being exploited by many adversaries, not only by the Charming Kitten group. The same modus was also observed used by other APT groups Lazarus for establishing a connection with the victim.
Cybersecurity experts have always been enthusiastic to remind the whole cyber community to be more vigilant and ensure awareness of different vectors used by many adversaries to bait their victims. The reminders will ensure that we are always attentive and scrutinize everything that is from the internet before we put our trust. Lack of caution may pave the way for the threat actors to inflict damage not only to us as a person but also to everyone connected to us like our family, peers, and the company we are affiliated with.