# The Kittens Are Back in Town ## Charming Kitten Campaign Against Academic Researchers ### September 2019 #### TLP:WHITE ###### 2019 All rights reserved to ClearSky Security Ltd . ----- #### Table of Content Summary ................................................................................................................................................ 3 Emails sent to victims ........................................................................................................................... 4 First set of Emails ................................................................................................................................... 4 Second set of Emails ............................................................................................................................. 6 Attack Infrastructure: C2 Servers, Domains and Attribution ............................................................. 9 Indicators ............................................................................................................................................. 15 © 2019 All rights reserved to ClearSky Security Ltd. TLP: AMBER - The content of the document is solely for internal use. Distributing the report outside of recipient organization is not permitted. ----- ##### Summary Charming Kitten, also known as APT35 or Ajax, is an Iranian cyberespionage group active since 2014[1]. Their primary targets are Iranian experts working in the Academy, human rights activists and media personnel. Most victims are in the Middle East, US and the UK. Below here is a key event timeline: - **In 2015 ClearSky discovered the first wave of phishing attacks and issued a report reviewing** their activity named "Thamar reservoir"[2]. - **In 2017 ClearSky exposed a vast espionage operation, active from 2016 to 2017, against the** aforementioned sectors. Our report uncovered incidents of corporate impersonation, fake organizations and individuals, spear phishing and watering hole attacks. - **In 2018, Charming Kitten attempted to attack ClearSky and our customers directly via a** fraudulent website impersonating the ClearSky portal[3]. Later that year we also identified new wave of attacks against researchers in the Middle East, using fake emails and look-alike websites. - **In 2019 ClearSky observed a sharp increase in Charming Kitten attacks. It appears that group** has initiated a new cyber espionage campaign comprised of two stages, pointing at two different targets: `o` Non-Iranian Researchers from the US, Middle East and France, focusing on academic research of Iran. `o` Iranian dissidents in the US. Despite the considerable unrest in the Iranian cyber sphere, it appears that similarly to the MuddyWater APT, Charming Kitten were unaffected[4]. In August, the campaign has progressed, and unlike July, it seems like the APT group is now expanding its activities toward influential public figures around the world, rather than academic researchers an state organizations. Additionally, in August 2019, we found that the group had begun adding a tracker to their email correspondences, enabling them to follow an email message forwarded to additional accounts and obtain geolocation information. 1 [https://attack.mitre.org/groups/G0058/](https://attack.mitre.org/groups/G0058/) 2 clearskysec.com/thamar-reservoir/thamar-reservoir-public/ 3 [https://www.bleepingcomputer.com/news/security/iranian-apt-poses-as-israeli-cyber-security-firm-that-](https://www.bleepingcomputer.com/news/security/iranian-apt-poses-as-israeli-cyber-security-firm-that-exposed-its-operations/) [exposed-its-operations/](https://www.bleepingcomputer.com/news/security/iranian-apt-poses-as-israeli-cyber-security-firm-that-exposed-its-operations/) 4 [https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-](https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf) [%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf](https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf) © 2019 All rights reserved to ClearSky Security Ltd. TLP: AMBER - The content of the document is solely for internal use. Distributing the report outside of recipient organization is not permitted. ----- ##### Attack Vector 1. The first stage is sending an email message leveraging social engineering methods. The hacker impersonates a well-known researcher or journalist and invites the recipients to an event allegedly organized by the impersonated subject. Note that in certain cases, the hackers use their targets’ language. 2. The second stage includes a decoy website impersonating various Google services such as Gmail or Google Drive, to which the victim is redirected from the phishing email. This vector was observed in prior campaigns as well. Please note that in late March 2019, Microsoft filed an official complaint against the group for “establishing an internet-based cyber theft operation referred to as 'Phosphorus'.".[5] 3. Moreover, we identified a new vector of phishing websites that is used by this group – impersonating the Instagram official website. This is the first time we observed an attempt to extract credentials of non-google services. ##### Emails sent to victims Analyzing this campaign, we identified two attack scenarios. Based on our investigation, Charming Kitten tried to carry out both of the attack scenarios against the same victims. Note however that in most cases, the attack begun with the first scenario. ###### First set of Emails While impersonating to research institution, the attackers try to contact the victims privately and encourage them to review their resume (CV). In order to do so, linked within the email is a unique URL address for the fake website (Please notice the spelling and grammatical error, most notably the mispronunciation of the Sender name. Instead of Andrea, as written in the email address, the attacker mistakenly wrote Andera): As this link is not malicious, we believe that it is currently used only as the first stage in the attack gaining the trust of the victims. The website contains the exact page from the original website on which it is based, with one single change – the sender’s email address embedded within the website content. 5 [https://noticeofpleadings.com/phosphorus/files/Complaint.pdf](https://noticeofpleadings.com/phosphorus/files/Complaint.pdf) © 2019 All rights reserved to ClearSky Security Ltd. TLP: AMBER - The content of the document is solely for internal use. Distributing the report outside of recipient organization is not permitted. ----- Same as the original website, the email is embedded in the webpage content with a javascript code encoded in decimal. The attackers changed the last 22 numbers – from isis-online[.]org to the fake email address isis-online[.]net, as seen below: The Fake email code in decimal as presented in the source code of the impersonating website: ['>','a','/','<',' 114',' 101',' 107',' 99',' 105',' 114',' 116',' 83',' 32',' 97',' 101',' 114',' 100',' 110',' 65','>','\"',' 116',' 101',' 110',' 46',' 101',' 110',' 105',' 108',' 110',' 111',' 45',' 115',' 105',' 115',' 105',' 64',' 114',' 101',' 107',' 99',' 105',' 114',' 116',' 115',':','o','t','l','i','a','m','\"','=','f','e','r','h','a ','<'] © 2019 All rights reserved to ClearSky Security Ltd. TLP: AMBER - The content of the document is solely for internal use. Distributing the report outside of recipient organization is not permitted. ----- ###### Second set of Emails In this scenario, the attackers impersonate a known journalist. Unlike the first format, the latter does not contain any link to a fake website. The attacker offers the victim to participate in an online meeting about Iran and other subjects of interest for the target (e.g. recent discourse between Iran and the US). After presenting himself and the subject of the meeting, the attacker would ask whether the victim is interested in participating. If so, they are requested to replay in order to receive the following details: 1. A list of the other participants. 2. Date and time for the meeting. 3. Details regarding the method of payment. We identified on the website URLScan a few scans of a link from the website of Deutcshe Welle, a Germany-based international news portal. As presented in the following image, the victims were redirected to the website from malicious domains of the group (which can be found on the ClearSky Twitter account[6]). One of the domains is dw[.]de – a decoy domain which was mentioned in the previous email. 6 [https://twitter.com/clearskysec/status/1006445262003494913](https://twitter.com/clearskysec/status/1006445262003494913) © 2019 All rights reserved to ClearSky Security Ltd. TLP: AMBER - The content of the document is solely for internal use. Distributing the report outside of recipient organization is not permitted. ----- This link was scanned via URLScan by an anonymous user less than a month days ago, which might reveal another attack by Charming Kitten[7]. A second wave of attacks using the same vector took place in August. The attackers sent multiple email messages in a single night to multiple potential victims, impersonating a woman called Samantha Vinograd from who works at CNN. Similarly to the previous attack wave, the email message distributed to the victims contained multiple spelling mistakes, especially in the names of the reporters the attackers impersonated. For example, in the email address used to send the decoy emails is the last name of the reporter is misspelled. Below here is the phishing email’s content: *Hello ** * *I'm Samantha Vinograd, CNN national security analyst**.* *CNN News intends to interview some of Israel's successful figures abroad and broadcast it as a documentary. We have interviewed some of the leading Israeli figures in the US, Europe and other countries and are very eager to meet you.* *Your humanitarian and political activities have determined us to produce a short documentary of your life and your family.* *You can specify the time and place of the first meeting for the documentary pre-production stage.* - Please advise me of any special mobility or dietary requirements you may have. I hope you are able to accept this invitation and I look forward to hearing from you.* *Samantha Vinograd* *CNN National Security Analyst *, *Author of @CNN Presidential Weekly Briefing* An analysis of the email’s headers reveals that the attackers planted an email tracker within the message. The tracker can be seen below: The tracker is used by the attackers to check whether the message is forwarded to additional recipients, and to obtain the geolocation and IP address of the victim. Data is collected via a cookie that is installed on the victim machine in the following route: 7 [https://urlscan.io/result/12cbdac3-8a98-4dd3-9158-7c875d8db71e/](https://urlscan.io/result/12cbdac3-8a98-4dd3-9158-7c875d8db71e/) © 2019 All rights reserved to ClearSky Security Ltd. TLP: AMBER - The content of the document is solely for internal use. Distributing the report outside of recipient organization is not permitted. ----- C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@gnldr[$].txt Below here is the content of the cookie: To further disguise the malicious nature of the message, the attackers appended the CNN logo: © 2019 All rights reserved to ClearSky Security Ltd. TLP: AMBER - The content of the document is solely for internal use. Distributing the report outside of recipient organization is not permitted. ----- ##### Attack Infrastructure: C&C Servers, Domains and Attribution We Identified more than six unique servers hosting the fake Charming Kitten websites. Of which, four impersonate entities as part of the first stage, while the other two host servers impersonating Google services. We asses that these are likely to be used as in second stage of the attack – data theft. **Server** **Domain point to the IP** **Impersonation subject** 185.141.63[.]8 Skynevvs[.]com Sky News Skynews.com 185.141.63[.]135 Leslettrespersanes[.]net Les lettres persanes (Iranian news website in Inztaqram[.]ga French) leslettrespersanes.fr Instagram 185.141.63[.]156 Islamicemojimaker[.]com NIAC (National Iranian American Council)[8] niaconucil[.]org niacouncil.org 185.141.63[.]157 google.drive-accounts[.]com Google drive drive-accounts[.]com drive.google.com 185.141.63[.]160 unirsd[.]com UNRISD (United Nation Research Institute for Social Development) unrisd.org 185.141.63[.]161 acconut-verify[.]com Google Account Verification 185.141.63[.]162 isis-online[.]net ISIS (Institute for Science and International Security) isis-online.org 185.141.63[.]170 accounts-drive[.]com Google drive w3-schools[.]org W3Schools w3schools.com 185.141.63[.]172 Seisolarpros[.]org SEI Professional Services seisolarpros.com After a month of campaign operations, The attackers switched the servers used to store the email addresses, containing thousands of addresses. 8 Please note that in recent days, many Iranian citizens protested in front the office of the National Iranian American Council. They protested against the organization, claiming that it is does not represent the Iranian community in the US. © 2019 All rights reserved to ClearSky Security Ltd. TLP: AMBER - The content of the document is solely for internal use. Distributing the report outside of recipient organization is not permitted. |Server|Domain point to the IP|Impersonation subject| |---|---|---| |185.141.63[.]8|Skynevvs[.]com|Sky News Skynews.com| |185.141.63[.]135|Leslettrespersanes[.]net Inztaqram[.]ga|Les lettres persanes (Iranian news website in French) leslettrespersanes.fr Instagram| |185.141.63[.]156|Islamicemojimaker[.]com niaconucil[.]org|NIAC (National Iranian American Council)8 niacouncil.org| |185.141.63[.]157|google.drive-accounts[.]com drive-accounts[.]com|Google drive drive.google.com| |185.141.63[.]160|unirsd[.]com|UNRISD (United Nation Research Institute for Social Development) unrisd.org| |185.141.63[.]161|acconut-verify[.]com|Google Account Verification| |185.141.63[.]162|isis-online[.]net|ISIS (Institute for Science and International Security) isis-online.org| |185.141.63[.]170|accounts-drive[.]com w3-schools[.]org|Google drive W3Schools w3schools.com| |185.141.63[.]172|Seisolarpros[.]org|SEI Professional Services seisolarpros.com| ----- It should be noted that these domains can only be accessed via the aforementioned link in the spear phishing email. In any other case, the server will redirect the client to the original website (HTTP 302 in port 442 or 301 in port 80). The following image presents the headers of 185.141.63[.]160 from Shodan[9]. The fake domain is unirsd[.]com, however, it redirects to the original website. The server 185.141.63[.]135 is the only server that pointing to 2 domains: 1) leslettrespersanes[.]net which is impersonating the French magazine “Les Lettres Persanes”. 2) Inztaqram[.]ga which is impersonating Instagram company. This is **the first time we** observed a phishing website executed by Charming Kitten that impersonate non-google services in order to steal credentials from the victim to other services. All of the servers used in the latest attack are hosted by BelCloud Hosting Corporation, located in Bulgaria (ISP Kiwi Technologies Ltd.). Older servers in the campaign, such as 46.21.150[.]197, are hosted by other hosting services. As presented in the last image, all servers are Apache/2.4.39 (Win64), using OpenSSL/1.1.1b and PHP versions 7.3.5 or 7.3.6. 9 [https://www.shodan.io/host/185.141.63.160](https://www.shodan.io/host/185.141.63.160) © 2019 All rights reserved to ClearSky Security Ltd. TLP: AMBER - The content of the document is solely for internal use. Distributing the report outside of recipient organization is not permitted. ----- Searching other servers with these unique parameters returned less than 300 results. Most of these results are not malicious. We ruled out the legitimate servers that pointed in their redirect to the same IP address or to a domain the server hosts. Within these servers, we identified one server that redirects to Google services, which concurrently hosts two Iranians Name Servers. We consider this server to be part of this campaign in medium-high level of confidence: © 2019 All rights reserved to ClearSky Security Ltd. TLP: AMBER - The content of the document is solely for internal use. Distributing the report outside of recipient organization is not permitted. ----- First and foremost, it should be noted that the Iranian cyber divisions use servers belonging to Hetzner Online GmbH in many of their operations[10]. Second, there is an overlap of the server version, the SSL version, the PHP version and even the serial number of the SSL certificate. [10 https://comprop.oii.ox.ac.uk/wp-content/uploads/sites/93/2019/04/Iran-Memo.pdf](https://comprop.oii.ox.ac.uk/wp-content/uploads/sites/93/2019/04/Iran-Memo.pdf) [https://www.clearskysec.com/wp-content/uploads/2018/11/Global-Iranian-Disinformation-Operation-Clearsky-](https://www.clearskysec.com/wp-content/uploads/2018/11/Global-Iranian-Disinformation-Operation-Clearsky-Cyber-Security.pdf) [Cyber-Security.pdf](https://www.clearskysec.com/wp-content/uploads/2018/11/Global-Iranian-Disinformation-Operation-Clearsky-Cyber-Security.pdf) [https://citizenlab.ca/2016/08/group5-syria/](https://citizenlab.ca/2016/08/group5-syria/) © 2019 All rights reserved to ClearSky Security Ltd. TLP: AMBER - The content of the document is solely for internal use. Distributing the report outside of recipient organization is not permitted. ----- ###### Attribution We made an attribution to the Iranian Charming Kitten group based on three main factors: 1. The two main websites linked in the second scenario are: - The Jewish Journal (Please see for further information). - German magazine - Deutsche Welle. In March 2019, ClearSky identified another attack as part of this campaign, using an email address pointing to jewishjournal[.]online. From the Passive DNS records of this domain, we identified another domain impersonating Deutsche Welle – deutcshewelle[.]net. © 2019 All rights reserved to ClearSky Security Ltd. TLP: AMBER - The content of the document is solely for internal use. Distributing the report outside of recipient organization is not permitted. ----- Based on passive DNS records, it seems that Charming Kitten used the decoy Jewish Journal domain once again in July 2019: 2. As mentioned, the victims are non-Iranian investigators based in the US, Middle East and France. Their field of expertise fits Charming Kitten’s TTPs. The repeating spelling mistakes in the email content are also evidence of the Charming Kitten line of action. 3. The impersonation to NIAC indicates that it is an Iranian actor. Apart from the above reasons, additional information also ties the group’s activity to Iran. One the NetBlock of the IP addresses of the original servers we found the website exnovin[.]org. ExNovin is an Iranian company that developed a platform for money exchange. The domain was previously hosted on Hetzner, a German Internet hosting company. We estimate that these factors are likely related to the Charming Kitten group. © 2019 All rights reserved to ClearSky Security Ltd. TLP: AMBER - The content of the document is solely for internal use. Distributing the report outside of recipient organization is not permitted. ----- ##### Indicators isis-online[.]net acconut-verify[.]com leslettrespersanes[.]net unrisd[.]com drive-accounts[.]com niaconucil[.]org skynevvs[.]com islamicemojimaker[.]com w3-schools[.]org seisolarpros[.]org exnovin[.]org gnldr[.]website sgnldp[.]live sgnl[.]network gnldr[.]live gnldr[.]online gnldr[.]club sgnl[.]live gnldrp[.]live gnldp[.]live sgnldr[.]live 185[.]141[.]63[.]161 185[.]141[.]63[.]162 185[.]141[.]63[.]135 185[.]141[.]63[.]160 185[.]141[.]63[.]156 185[.]141[.]63[.]157 185[.]141[.]63[.]8 185[.]141[.]63[.]172 **MISP events 1682 and 1438** © 2019 All rights reserved to ClearSky Security Ltd. TLP: AMBER - The content of the document is solely for internal use. Distributing the report outside of recipient organization is not permitted. ----- ### ClearSky Cyber Intelligence Report © 2019 All rights reserved to ClearSky Security Ltd. TLP: AMBER - The content of the document is solely for internal use. Distributing the report outside of recipient organization is not permitted. ###### 2019 All rights reserved to ClearSky Security Ltd. TLP: AMBER - The content of the document is solely for internal use. Distributing the report outside of recipient organization is not permitted. -----