Teacher
Professional
- Messages
- 2,670
- Reaction score
- 814
- Points
- 113
Charming Kitten group hunts down the secrets of political experts: how do fake webinars help?
The Middle East has been hit by a new wave of cyberattacks organized by the Iranian hacker group Charming Kitten, also known as APT35 CharmingCypress and Mint Sandstorm. Hackers are using a new malicious backdoor called BASICSTAR to attack political experts.
The group created a fake webinar portal, ostensibly from the Rasan International Institute of Iranian Studies. This made it possible to establish contact and gain the trust of the victims. Target specialists started receiving emails with invitations to online conferences on topics of interest to them.
Malicious attachments were attached to the emails, which when opened were installed on the computer by BASICSTAR and other programs. RAR archives with LNK files were used to distribute the backdoor.
Basically, BASICSTAR is a malicious Visual Basic Script. It can collect basic system information, execute malicious commands remotely, and download files. After installation, the system shows the victim a fake PDF so as not to arouse suspicion.
Hackers used BASICSTAR as their primary tool. In addition, depending on the target's operating system, they used additional malware: POWERLESS for Windows and NokNok for macOS.
Experts note that Charming Kitten has recently been very active and is constantly improving its attack methods. The group carefully examines its victims to choose the most effective strategy.
"The CharmingCypress group often uses unusual social engineering tactics, for example, involving victims in a lengthy email conversation before sending links with malicious content," Volexity researchers note.
It is assumed that Charming Kitten is associated with the Islamic Revolutionary Guard Corps and conducts cyber operations in its interests. In the past, they have launched campaigns against think tanks, NGOs, and journalists in the region.
In the latest attacks, the attackers used hacked accounts of people with whom the victims are personally acquainted. Several fake mailboxes were also created. Some were convinced that they were receiving emails from their friends or colleagues. Experts call this tactic Multi-Person Impersonation (MPI).
In addition, the Charming Kitten group has registered many fake, supposedly legitimate IT companies in Iran. They are engaged in the development of cyber espionage and surveillance tools, while hiding direct links with government agencies.
The Middle East has been hit by a new wave of cyberattacks organized by the Iranian hacker group Charming Kitten, also known as APT35 CharmingCypress and Mint Sandstorm. Hackers are using a new malicious backdoor called BASICSTAR to attack political experts.
The group created a fake webinar portal, ostensibly from the Rasan International Institute of Iranian Studies. This made it possible to establish contact and gain the trust of the victims. Target specialists started receiving emails with invitations to online conferences on topics of interest to them.
Malicious attachments were attached to the emails, which when opened were installed on the computer by BASICSTAR and other programs. RAR archives with LNK files were used to distribute the backdoor.
Basically, BASICSTAR is a malicious Visual Basic Script. It can collect basic system information, execute malicious commands remotely, and download files. After installation, the system shows the victim a fake PDF so as not to arouse suspicion.
Hackers used BASICSTAR as their primary tool. In addition, depending on the target's operating system, they used additional malware: POWERLESS for Windows and NokNok for macOS.
Experts note that Charming Kitten has recently been very active and is constantly improving its attack methods. The group carefully examines its victims to choose the most effective strategy.
"The CharmingCypress group often uses unusual social engineering tactics, for example, involving victims in a lengthy email conversation before sending links with malicious content," Volexity researchers note.
It is assumed that Charming Kitten is associated with the Islamic Revolutionary Guard Corps and conducts cyber operations in its interests. In the past, they have launched campaigns against think tanks, NGOs, and journalists in the region.
In the latest attacks, the attackers used hacked accounts of people with whom the victims are personally acquainted. Several fake mailboxes were also created. Some were convinced that they were receiving emails from their friends or colleagues. Experts call this tactic Multi-Person Impersonation (MPI).
In addition, the Charming Kitten group has registered many fake, supposedly legitimate IT companies in Iran. They are engaged in the development of cyber espionage and surveillance tools, while hiding direct links with government agencies.
