Recently, an Iranian cyberespionage group, Charming Kitten, famous for attacking the government, defense technology, military, and statesmanship sectors; Now pretending themselves as journalists to address targets through LinkedIn and WhatsApp messages in which they are deploying malware to infect targets’ devices.
The security researchers has detected this malware and written several reports regarding the Iranian APT group “Charming Kitten.” Currently, one of the group’s most popular attack vectors is portraying journalists, especially those from the German “Deutsche Welle” advertising company and the “Jewish Journal” magazine.
Deploying Malware via WhatsApp and LinkedIn
Experts have identified an increase in the usage of WhatsApp and LinkedIn as programs of interaction within threat actors and victims. That’s why in the last three years, Charming Kitten has been serving their campaigns essentially by emails and SMS.
As these two platforms allow the attacker to strike the victim, paying minimum time in building the imaginary social media profile. However, in this campaign, Charming Kitten has practiced a strong and well-developed LinkedIn account to promote their email spear-phishing attacks.
While the Charming Kitten is not the prime actors who use WhatsApp phone call in current months. As the Lazarus hacker group (North Korea) also used the identical method to obtain the victim’s trust.
According to the report ” Charming Kitten sent multiple and repeating messages, sometimes in very short time, until the target responded. The messages were sent from a German number (prefix +49) to create a sense of credibility, and the WhatsApp account bears the image of the journalist being impersonated. Unlike other groups, Charming Kitten chooses to impersonate Persian speaking journalists, to neutralize detection through the accent.”
Timeline of Their Operations In The Past Three Years
From the below image you can see the timeline of their operations:-
Data Requested From Victims by Charming Kitten Operators
The operators of Charming Kitten introduce themselves as journalists and entreat the victim whether they want to participate in the webinar about Iran and other subjects of interest for the target. And in exchange, the threat actors request the victims to reply with their details that are mentioned below:-
- A full list of other members
- Proper date and time for the webinar
- Every detail about the payment for visiting the webinar.
Threat Actors Used Social Engineering Methods
The threat actors used social engineering methods that are classified into three different stages, “First Stage, Second Stage, and Third Stage.” Here are the three stages used by the threat actors:-
- First Stage – Approaching the victim by email.
- Second Stage – WhatsApp and LinkedIn.
- The third Stage – Approving attending the webinar.
The threat actors attempted two types of compromise attempts to the victims, and here we have mentioned below those attempts:-
- An email message along with a malicious link.
- An email message along with a malicious file assigned.
The threat actors conveyed messages to the victims frequently for ten days, urging them for a direct phone call, and then they are trying to attract the victims into stimulating their accounts on the site “Akademie DW.” Not only this, but the methods that are used by Charming Kitten were not new as these similar methods are being used in North Korea as well.