Targeted cyber attacks – especially those with social or political focus – are becoming more and more common. These attacks may not always be the state sponsored, movie quality hack that many of us associate with ‘big’ hacks.
Many times it comes down to just one weak link – one person who enters their credentials on a random page, trusts a little too much, installs that macro enabled document or in this case, believes that a hacker is actually a journalist.
An Iranian cyber espionage group that has been known under a number of names – APT35, Parastoo, NewsBeef, Newscaster and now – Charming Kitten – has been in and out of the news in regards to their attacks targeting and impersonating government, defense technology, military and political sectors.
The most recent attacks are now from the group impersonating journalists in attempts to have the users download and install malware via LinkedIn and WhatsApp.
“Starting July 2020, we have identified a new TTP of the group, impersonating ‘Deutsche Welle’ and the ‘Jewish Journal’ using emails alongside WhatsApp messages as their main platform to approach the target and convince them to open a malicious link.”Israeli firm Clearsky
It has been reported that this is the first time that a threat actor used a watering hole attack through WhatsApp and LinkedIn which even included the hackers contacting the victims on the phone.
Clearsky alerted Deutsche Welle – one of the impersonated targets – who promptly confirmed that there was no interaction between the real journalist and the attacker.
“the reporter which Charming Kitten impersonated did not send any emails to the victim nor any other academic researcher in Israel in the past few weeks.”Deutsche Welle
The watering hole – a malicious link embedded in the compromised Deutsche Welle domain – provided the malware to the victim via WhatsApp with the perceived intentions of having the academics speak at an online webinar.
Charming Kitten When and How
“The correspondence began with an email sent to the target, initiating a conversation,” Clearsky explained. “After a short conversation with the target, the Charming Kitten attacker requests to move the conversation to WhatsApp. If the target refuses to move to WhatsApp, the attacker will send a message via a fake LinkedIn profile.”
In at least one attack, the hacker actually called the victim to establish trust and walk them through the steps of how to connect to the webinar using the malicious link.
While this is a new ‘specific’ attack, the hacker group have been known to previously use social media as a way to spy,
In one scenario, the adversary even took the step of messaging and calling a victim to gain the target’s trust and subsequently walk the person through the steps of connecting to the webinar using the malicious link earlier shared in the chat.
Although APT35 may have picked up a new ruse, this is not the first time the Iranian hackers have used social media channels to spy on personnel of interest.
“In this campaign, we observed a willingness of the attackers to speak on the phone directly with the victim, using WhatsApp calls, and a legitimate German phone number. This TTP is uncommon and jeopardizes the fake identity of the attackers,”Clearsky
See below the full report from ClearSky Cyber Security