skip to Main Content

Cyber Espionage, Charming Kitten hackers renewed their TTPs

Clearsky cyber security experts: Charming Kitten hackers renewed their TTPs. The Iranian APT started impersonating “Deutsche Welle” and the “Jewish Journal” using emails alongside WhatsApp messages and LinkedIn profiles

Iranian hackers Charming Kitten have renewed their TTPs to attack and spy their victims. It has been discovered by Clearsky cyber security experts. One of the APT’s (aka APT35, Phosphorus, Ajax Security and NewsBeef) most common attack vectors is impersonating journalists, particularly those from the German “Deutsche Welle” and the “Jewish Journal”. Starting July 2020 the cyber spies started impersonating “Deutsche Welle” and the “Jewish Journal” using emails alongside WhatsApp messages as their main platform. This to approach the targets and convince them to open a malicious link. To gain the victim’s trust and ensure the opening of the link, the attackers use fake LinkedIn profiles as well. This is the first time researchers identified an attack by Charming Kitten conducted through WhatsApp and LinkedIn, including attempts to conduct phone call between the victim and the Iranian hackers. Charming Kitten chooses to impersonate Persian speaking journalists, to neutralize detection through accent while having the phone call.

The cyber security experts: How the new APT TTP’s work

According the cyber security experts, the malicious link is embedded in a legitimate, compromised “Deutsche Welle” domain, with Waterhole methods. Each victim receives from Charming Kitten a personalized link, tailored to their specific email account. Researchers identified an attempt to send a malicious ZIP file to the victim as well, additional to a message that was sent to the victim via a fake LinkedIn profile. So, they assess that in some cases, the Iranian APT would try to infect the victim with malware instead of stealing its credentials. It should be noted that this attack vector is unique to Charming Kitten, but it has not the only attack vector that has been used in recent months by this threat actor.

Back To Top