In July 2020 Israeli firm Clearsky security identified a new TTP of the group(Charming Kitten), impersonating ‘Deutsche Welle’ and the ‘Jewish Journal’ using emails alongside WhatsApp messages as their main platform to approach the target and convince them to open a malicious link.”
As per the Clearsky security researchers the Iran-linked “Charming Kitten APT” group is using WhatsApp and LinkedIn to conduct spear-phishing attacks targeting government, defense technology, military, and diplomacy sectors.
The Iranian hackers are still focusing to target private and government institutions, think tanks and academic institutions, organizations with ties to the Baha’i community, and many others in European countries, the United States, United Kingdom, and Saudi Arabia.
Earlier also “CharmingKitten” (also known as APT35, Parastoo, NewsBeef, and Newscaster) was linked to a series of covert campaigns with an aim to steal sensitive information from human rights activists, academic researchers, and media outlets.
The watering hole — in this case, a malicious link embedded in the compromised Deutsche Welle domain — delivered the info-stealer malware via WhatsApp, but not before the victims were first approached via tried-and-tested social engineering methods with an intention to lure the academics to speak at an online webinar.
“The correspondence began with an email sent to the target, initiating a conversation,” Clearsky explained. “After a short conversation with the target, the “Charming Kitten” attacker requests to move the conversation to WhatsApp. If the target refuses to move to WhatsApp, the attacker will send a message via a fake LinkedIn profile.”
The recently discovered phishing attacks by the “Charming Kitten” are in line with previous activities conducted by the group. Certfa speculates that the APT group is working on the development of a series of malware for their future phishing attack campaign.
The Charming Kitten used Google Sites for their phishing attack, and Certfa believes that they work on the development of a series of malware for their future phishing attack campaign.