The Return of The Charming Kitten
(Dec 13, 2018)
Researchers from Certfa have observed the Advanced Persistent Threat (APT) group "Charming Kitten" is active again and conducting spear phishing attacks against targets who are from countries associated with the most recent sanctions placed upon Iran. In October 2018, the APT group was reported to have been observed attacking US financial institution infrastructure, potentially as a reaction to the sanctions placed against Iran. In November 2018, the domain "accounts[-]support[.]services," believed to be associated to Charming Kitten, was found to be used to target human and civil rights activists, political figures as well as Iranian and Western journalists in phishing attacks. The APT group initiates contact via email or social media, or via compromised accounts of known public figures, and notifies their targets with fake alerts of unauthorised users attempting to access their accounts. This alert then prompts the user to enter their username and password credentials to "secure" their account on a fake Google login page, which then gives the APT group access to those credentials.
Recommendation: Defence-in-depth (layering of security mechanisms, redundancy, fail-safe defence processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.