# Charming Kitten ## Iranian cyber espionage against human rights activists, academic researchers and media outlets and the HBO hacker connection #### ClearSky Cyber Security December 2017 ----- ##### Contents Introduction .......................................................................................................................................................... 3 Targets ......................................................................................................................................................... 3 Charming Kitten or Rocket kitten? ....................................................................................................................... 4 The HBO hacker and Charming Kitten .................................................................................................................. 5 HBO hacking indictment .............................................................................................................................. 5 Connection to Iranian government backed threat agent ............................................................................ 5 From Mesri to Charming Kitten ................................................................................................................... 6 Delivery and Infection ........................................................................................................................................16 Made up organizations and people ...............................................................................................................16 British News ...............................................................................................................................................16 Made up studens and jurnalists .................................................................................................................24 Impersonating real companies .......................................................................................................................30 United Technologies impersonation ..........................................................................................................30 Watering holes ...............................................................................................................................................32 Spear Phishing for credential stealing ............................................................................................................34 Wave 1 .......................................................................................................................................................34 Wave 2 .......................................................................................................................................................36 Wave 3 .......................................................................................................................................................37 Email tracking services ...............................................................................................................................45 Targeted emails with malware .......................................................................................................................46 DownPaper Malware ..........................................................................................................................................47 Additional samples.....................................................................................................................................49 MAGICHOUND.RETRIEVER .................................................................................................................................50 Appendix A - Indicators of Compromise .............................................................................................................51 Appendix B - Previous reports about Charming Kitten and Rocket Kitten .........................................................59 Page 2 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- ### Introduction Charming Kitten is an Iranian cyberespionage group operating since approximately 2014. This report exposes their vast espionage apparatus, active during 2016-2017. We present incidents of company impersonation, made up organizations and individuals, spear phishing and watering hole attacks. We analyze their exploitation, delivery, and command-and-control infrastructure, and expose DownPaper, a malware developed by the attackers, which has not been publicly documented to date. Incidents documented in this report are likely a small fraction of the actual amount of targeted attacks, which may reach thousands of individuals. We expose more than 85 IP addresses, 240 malicious domains, hundreds of hosts, and multiple fake entities – most of which were created in 2016-2017. The most recent domains (com-archivecenter[.]work, com-messengerservice[.]work and com-videoservice[.]work) were registered on December 2[nd], 2017, and have probably not been used in attacks yet. We present the connection between Behzad Mesri, an Iranian national recently indicted for his involvement in hacking HBO, and Charming Kitten. We also identify other members of the group. This report refers to two likely distinct groups, Charming Kitten and Rocket Kitten, together. This is not to say that the two groups are one, but that due to overlap in infrastructure, tools, targets, and modus operandi we are unable to precisely attribute each incident to one or the other. Further discussion appears in the section "Charming Kitten or Rocket kitten?" ###### Targets The attackers' focus appears to be individuals of interest to Iran in the fields of Academic research (i.e. Iranists - Scholars who study Iran), Human right and media. Emphasis is given to Iranian dissidents living in Iran or abroad, and people who come in touch with Iranians or report on Iranian affairs such as journalists and reporters, media outlets covering Iran, and political advisors. Most targets known to us are individuals living in Iran, the United States, Israel, and the UK. Others live in Turkey, France, Germany, Switzerland, United Arab Emirates, India, Denmark and other countries. Notably, the attackers usually try to gain access to private email and Facebook accounts. They seek to infiltrate the targets’ social network as a hop point to breach other accounts in their social network, or to collect information about their targets. Sometimes, they aim at establishing a foothold on the target’s computer to gain access into their organization, but, based on our data, this is usually not their main objective, as opposed to other Iranian threat groups, such as Oilrig[1] and CopyKittens[2]. 1 [http://www.clearskysec.com/oilrig/](http://www.clearskysec.com/oilrig/) 2 [http://www.clearskysec.com/tulip/](http://www.clearskysec.com/tulip/) Page 3 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- ### Charming Kitten or Rocket kitten? While Iranian threat actors have been well documented by security researchers, the inner workings of the ecosystem of Iran's hackers is not entirely clear. Groups can be vigorously active for years and then disappear abruptly, sometimes due to being publicly outed. Researchers make a best-faith effort to assign operations to certain groups, but the instability in the field makes the process challenging. A case of these obscure lines can be found in a blogpost published in coordination and parallel to this report -“Flying Kitten to Rocket Kitten, A Case of Ambiguity and Shared Code”[3] by Collin Anderson and Claudio Guarnieri. Flying Kitten (which is another name given by the security industry to Charming Kitten) was one of the first groups to be described as a coherent threat actor conducting operations against political opponents of the IRI (Islamic Republic of Iran) government and foreign espionage targets. FireEye’s publication of “Operation Saffron Rose” report, which described Flying Kitten’s operations against aviation firms, led to the dismantling of Flying kitten's infrastructure and the apparent end of its activities. Months later, another, seemingly distinct group, “Rocket Kitten,” would be described by a series of reports. While the two groups exhibited different behaviors that lend credence to the assumption they were distinct, disclosures of private toolkits strongly suggest that Rocket Kitten had used Flying Kitten resources throughout its credential-theft operations. Moreover, Rocket Kitten had experimented with reusing malware that appeared to be an undisclosed precursor to Flying Kitten's “Stealer” agent documented by FireEye. These overlaps provide some indication that Rocket Kitten had some relationship to Flying Kitten – perhaps members of the latter joining the new team. Rocket Kitten has since largely subsided as a formidable actor, and repeating the theme of its predecessor now only appears in echoes of other campaigns. Read -“Flying Kitten to Rocket Kitten, A Case of Ambiguity and Shared Code” here: [https://iranthreats.github.io/resources/attribution-flying-rocket-kitten.](https://iranthreats.github.io/resources/attribution-flying-rocket-kitten) Further information is available in "Appendix B - Previous reports about Charming Kitten and Rocket Kitten". 3 [https://iranthreats.github.io/resources/attribution-flying-rocket-kitten](https://iranthreats.github.io/resources/attribution-flying-rocket-kitten) Page 4 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- ### The HBO hacker and Charming Kitten ###### HBO hacking indictment In November 21, 2017, the United States Department of Justice unsealed an indictment[4] against Behzad **Mesri (A.K.A “Skote Vahshat”)[5] for his involvement hacking and extorting HBO, and for subsequently leaking** the stolen content on the Internet. Leaked content included confidential information about upcoming episodes of the popular television series, “Game of Thrones,” and video files containing unreleased episodes of other television series created by HBO[6]. According to the indictment, "Mesri is an Iran-based computer hacker who had previously worked on behalf of the Iranian military to conduct computer network attacks that targeted military systems, nuclear software systems, and Israeli infrastructure. At certain times, Mesri has been a member of an Iran-based hacking group called the Turk Black Hat security team". ###### Connection to Iranian government backed threat agent Security researcher Collin Anderson of Iran Threats[7] tagged Mesri's twitter account[8] in a tweet[9] suggesting that Mesri might be related to Charming Kitten. 4 [https://www.justice.gov/usao-sdny/pr/acting-manhattan-us-attorney-announces-charges-against-iranian-national-](https://www.justice.gov/usao-sdny/pr/acting-manhattan-us-attorney-announces-charges-against-iranian-national-conducting) [conducting](https://www.justice.gov/usao-sdny/pr/acting-manhattan-us-attorney-announces-charges-against-iranian-national-conducting) 5 [https://www.fbi.gov/wanted/cyber/behzad-mesri](https://www.fbi.gov/wanted/cyber/behzad-mesri) 6 Other stolen content includes: (a) confidential video files containing unaired episodes of original HBO television programs, including episodes of “Barry,” “Ballers,” “Curb Your Enthusiasm,” “Room 104,” and “The Deuce”; (b) scripts and plot summaries for unaired programs, including but not limited to episodes of “Game of Thrones”; (c) confidential cast and crew contact lists; (d) emails belonging to at least one HBO employee; (e) financial documents; and (f) online credentials for HBO social media accounts (collectively, the “Stolen Data”). 7 [https://iranthreats.github.io/](https://iranthreats.github.io/) 8 [https://twitter.com/skote_vahshat](https://twitter.com/skote_vahshat) 9 [https://twitter.com/CDA/status/932992141466279936](https://twitter.com/CDA/status/932992141466279936) Page 5 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- Subsequently, we tried to find connections of Mesri to other activities and people mentioned in this report. Thanks to the public nature of how Mesri and other members of Turk Black Hat conducted their hacking activities and private online life, we could find several connections. This is not to say that the HBO hack was ordered by the Iranian government. Rather, we try to strengthen the assumption that Mesri was, at a certain time, part of, or related to Charming Kitten. In addition, we unmask other members of the group based on their connection to Mesri and to Charming Kitten infrastructure. ###### From Mesri to Charming Kitten **ArYaIeIrAN (AKA aryaieiran@gmail.com AKA aryaieiran@hotmail.com AKA mno_1988_fgh@yahoo.com)** is a 29 years old Iranian hacker and member of Turk Black Hat. Below is his profile page in "Iranian engineers club"[10]: 10 http://www.iran-eng.ir/member.php/77662-ArYaiEiRan?langid=1 Page 6 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- A list of websites he defaced, listed on Zone-H : And a mirror page of a defacement he made in 2012, showing some of his team members and email address: 11 http://www.zone-h.org/archive/notifier=ArYaIeIrAn Page 7 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- The same email address, aryaieiran@gmail.com, shows up in the SOA (Start of Authority) record of multiple domains registered and used by Charming Kittens that are presented in this report. These include britishnews.com[.]co, britishnews[.]org, broadcastbritishnews[.]com and mehrnews[.]info. All these websites used persiandns[.]net as their NS (name server), as can be seen in PassiveTotal[12] [13]: 12 [https://community.riskiq.com/search/britishnews.org](https://community.riskiq.com/search/britishnews.org) 13 [https://community.riskiq.com/search/britishnews.com.co](https://community.riskiq.com/search/britishnews.com.co) Page 8 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- _aryaieiran@gmail.com also registered persiandns[.]net, potentially indicating that he is the administrator of_ the services and an employee in the company: In a defacement, still online at the time of writing, both ArYaIeIrAn and Skote_Vahshat, the HBO hacker, take credit as members of Turk Black Hat. This indicates that both were members of Turk Black Hat at the same time, and likely knew each other. Page 9 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- persiandns[.]net hosting services, which hosted malicious domains used by charming kitten, redirects to **_mahanserver[.]ir, indicating it is the same company:_** The about page (درباره ما) of mahanserver[.]ir leads to a 404 error page: Page 10 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- The CEO of mahanserver[.]ir is Mohammad Rasoul Akbari (A.K.A ra3ou1), likely the boss or partner of ArYaIeIrA: Page 11 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- The two follow each other on twitter: Akbari is a Facebook friend of the HBO hacker, Behzad Mesri [14]. 14 [https://www.facebook.com/friendship/sk0te.vahshat/ra3ou1/](https://www.facebook.com/friendship/sk0te.vahshat/ra3ou1/) Page 12 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- On Linkedin, MahanServer only has two employees: CEO Mohammad Rasoul Akbari and Mohammadamin Keshvari: Interestingly, Mohammadamin Keshvari's profile picture is a pomegranate, like that of ArYaIeIrAN’s twitter account[15]: 15 [https://twitter.com/aryaieiran](https://twitter.com/aryaieiran) Page 13 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- Moreover, Mohammadamin Keshvari mentions in his LinkedIn profile that he works at ARia Dc (ariadc[.]com, _ariadc[.]net) which was registered by aryaieiran@gmail.com for three days in 2013 before changing to a_ generic email[16]: ARia Dc later turned into MahanServer, as can be seen in Waybac Machine: 16 Data from DomainTools whois history. Page 14 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- To sum up, the HBO hacker - Behzad Mesri is a member of Turk Black Hat along with ArYaIeIrAn, who provides infrastructure for Charming Kitten activity via PersianDNS / Mahanserver together with **Mohammad Rasoul Akbari, who is a Facebook friend of Behzad Mesri's. We tend to identify ArYaIeIrAn with** **Mohammadamin Keshvari, because the latter is the only other employee of Mahanserver and works in a** company whose domain was registered by the former (and both have a similar and unique profile picture). **We estimate with medium certainty that the three are directly connected to Charming Kitten, and** **potentially, along with others – are Charming Kitten.** We used SocialNet, Shadow Dragon’s Maltego transform for social media analysis[17] to analyze these connections and visually depict them, as can be seen below: 17 [https://shadowdragon.io/product/socialnet](https://shadowdragon.io/product/socialnet) Page 15 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- ### Delivery and Infection Charming Kitten attack their targets using the following methods: - **Made up organizations and people – entities are made up to lure people into malicious websites or** to receive malicious messages. - **Impersonating real companies – real companies are impersonated, making victims believe they are** communicating or visiting the website of the real companies. - **Watering hole attacks – inserting malicious JavaScript code into breached strategic websites.** - **Spear phishing – pretending to be** Gmail, Facebook, and other services providers, or pretending to be a friend of the target sharing a file or a link. These methods are elaborated below. ##### Made up organizations and people ###### British News Charming kitten regularly target international media outlets with Persian-language services. Two recent reports – "How Iran tries to control news coverage by foreign-based journalists"[18] and "Iranian agents blackmailed BBC reporter with ‘naked photo’ threats"[19] describe harassment and intimidation methods applied by Iranian intelligence agencies. These campaigns often target reporters and journalists in phishing attempts. On the same note, we identified a fake-news agency "established" by the attackers, called “The British news _agency”_ or “Britishnews” (inspired by BBC)[20]. Its website domain is britishnews.com[.]co and two other domains, broadcastbritishnews[.]com and britishnews[.]org, redirected to it. Below are screenshots of the main page of the website, which is online at time of writing: 18 [https://rsf.org/en/news/how-iran-tries-control-news-coverage-foreign-based-journalists](https://rsf.org/en/news/how-iran-tries-control-news-coverage-foreign-based-journalists) 19 [http://www.arabnews.com/node/1195681/media](http://www.arabnews.com/node/1195681/media) 20 Outed in collaboration with Forbs On Jan 2017, see “With Fake News And Femmes Fatales, Iran's Spies Learn To Love [Facebook” forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-](https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage) [cyberespionage](https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage) Page 16 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- Below is a screenshot from the “about” page of the fake news agency website, detailing its objectives and giving the email addresses of various “employees”: Page 17 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- Note the use of present perfect instead of past simple in "has been established" (instead of "was established"), present progressive (we are covering) instead of present simple (we cover) to mark a habitual aspect, and "began this work" – all suggesting a Persian-thinking writer. This fake news-agency and accompanying social media accounts are not used to disseminate propaganda or false information. Their content was automatically copied from legitimate sources. The purpose of this news agency is to create legitimacy, with the end goal of reaching out to their targets and infecting them while visiting the infected website. The website contains BeEF (Browser Exploitation Framework – a penetration testing tool that focuses on web browsers), however it seems that the payload is sent only when the victim visits the site from IPs in a whitelist managed by the attackers. This might indicate they are after specific targets or organizations rather than widespread infection. The screenshot below shows w3school.hopto[.]org, which served BeEF, called when britishnews.com[.]co is loading: Page 18 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- Page 19 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- At the bottom of the site are links to social media accounts created by the attackers: Below are screenshots of the accounts. Instagram, Instagram[.]com/britishnewslive with over 13,000 followers (unavailable for several months): Page 20 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- Twitter, https://twitter[.]com/britishnewslive (online at time of writing): Facebook page - facebook[.]com/officialbritishnewslive (unavailable for several months): Page 21 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- LinkedIn company page, linkedin[.]com/company/britishnews (unavailable for several months): The attackers also created a fake LinkedIn profile, Isabella Carey, that “worked” at the fake news company: _linkedin[.]com/in/isabella-carey-98a42a129 (unavailable for several months):_ Page 22 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- An email address with the same name, isabella.careyy@gmail.com, was used to register 12 malicious domains by Charming Kitten, as can be seen in PassiveTotal[21]: 21 [https://community.riskiq.com/search/whois/email/isabella.careyy@gmail.com](https://community.riskiq.com/search/whois/email/isabella.careyy@gmail.com) Page 23 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- ###### Made up studens and jurnalists Multiple Israeli Iranist and middle east researchers were sent emails and Twitter direct messages by made up entities. These entities are reviewed below. **Zehavit Yehuda** One of the fake entities is “KNBC News journalist Zehavit Yehuda”, who sent the following phishing email: The email links to a website, https://sites.google[.]com/view/docs-downloads, which was built with Google Sites: Page 24 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- The Download button is a redirection link: _http://www.google[.]com/url?q=http%3A%2F%2Fdownload-google.com-_ _orginallinks.ga%2Fdownload%2Ffile%2Fusr%&sa=D&sntz=1&usg=_ Which leads to a fake log-in page in a domain registered by the attackers: _http://download-google.com-orginal-links[.]ga/download/file/usr/_ **Yafa Hyat** Fake entity "Yafa Hyat" (@yafa1985hyat, online at time of writing) has contacted an Israeli Iranist via a direct message on twitter, pretending to be a political researcher who needs help with an article: Page 25 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- Page 26 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- The site automatically redirects to a phishing website hosted in a domain registered by the attackers, download _google.orginal-links[.]com:_ "Yafa" also sent an email from yaffa.hyatt9617@gmail.com to a university professor, asking to work at the university center she is heading. The email itself did not contain malicious content, and was likely sent to build trust prior to sending a phishing link or malware: Page 27 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- **Bahar Azadeh** Fake entity "Bahar Azadeh" (bahra.azadeh88@gmail.com and @baharazadeh1[22], online at time of writing) sent emails with different background stories to multiple researchers. In two cases, she was a "Jewish girl who has an Iranian origin and who has studied in the field of political science": 22 [https://twitter.com/baharazadeh1](https://twitter.com/baharazadeh1) Page 28 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- Yet in a third case she claimed to be Baha i living in Tehran: Translation: _Hello,_ _Mr. Dr., I am a Bahai living in Tehran, if you can call it a life. As you know, the present situation in Iran for_ _us Bahais is not good at all, so that we are even deprived of our natural right, that is, higher education, as_ _if we Bahais are not human and have no right to live._ _, I have been accepted to universities all across Iran, and after two years of studying in a_ _university, they realized from certain sources that I was Bahai, and expelled me. I did not sit idle and began_ _to constantly protest, I've been summoned [to court] quite a few times for this thing, and I already feel_ _Iran has become a hell for me, and as much as I try I can't find salvation from this hell._ _One of the reasons I've asked you for help and guidance was reading your book (), and your_ _research in this field has been really valuable and helpful, which made this book so beautiful._ _"I have a few questions for you, please answer me"._ The entities’ email address is connected to a fake Facebook entity called _Emilia Karter_ (online at time of writing): Page 29 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- ##### Impersonating real companies ###### United Technologies impersonation The attackers created a website impersonating UTC (United Technologies), “an American multinational conglomerate which researches, develops and manufactures products in numerous areas, including aircraft engines, [and] aerospace systems […]. UTC is a large military contractor, getting about 10% of its revenue from the U.S. government”[23]. The fake website was first reported by Iran Threats researchers on 6 February 2017[24]. We do not have evidence that UTC was targeted or impacted. The fake website, which was built in January 2017, claimed to offer “Free Special Programs And Courses For Employees Of Aerospace Companies like Lockheed Martin, SNCORP, ….”. It was a decoy to make visitor download a “Flash Player”, which was in fact DownPaper malware, analyzed later in this report. 23 [https://en.wikipedia.org/wiki/United_Technologies](https://en.wikipedia.org/wiki/United_Technologies) 24 [https://iranthreats.github.io/resources/macdownloader-macos-malware/](https://iranthreats.github.io/resources/macdownloader-macos-malware/) Page 30 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- The malware was served from the following location: _http://login.radio-m[.]cf/utc/dnld.exe_ It was contained in a cabinet self-extractor that impersonates a legitimate Windows software: _dnld.exe_ _be207941ce8a5e212be8dde83d05d38d_ _3b4926014b9cc028d5fb9d47fee3dbd9376525dcb3b6e2173c5edb22494cfa9b_ Page 31 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- ##### Watering holes The attackers breached the following websites pertaining to Iranian and Jewish cultural affairs: **Breached website** **Description** hamijoo[.]com An Iranian crowdfunding platform www.jewishjournal[.]com A Jewish news site www.estherk[.]com A personal blog of one of JewishJournal's writers www.boloogh[.]com A sex education website for Iranian youth levazand[.]com A personal blog of an Iranian living in United sates A script tag that loads BeEF JavaScript from w3school.hopto[.]org or from bootstrap.serveftp[.]com was added, as can be seen in the images below: Page 32 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 |Breached website Description|Col2| |---|---| |hamijoo[.]com|An Iranian crowdfunding platform| |www.jewishjournal[.]com|A Jewish news site| |www.estherk[.]com|A personal blog of one of JewishJournal's writers| |www.boloogh[.]com|A sex education website for Iranian youth| |levazand[.]com|A personal blog of an Iranian living in United sates| ----- Page 33 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- ##### Spear Phishing for credential stealing The attackers sent hundreds, maybe thousands, of spear phishing emails to hundreds of targets. In this section, we will present samples of spear phishing emails[25]. ###### Wave 1 The attackers breached the Gmail account of Alon Gur Arye, an Israeli film producer. Alon produced a satire film about the Israeli Mossad, which potentially confused the attackers to thinking he is associated with the Israeli Mossad. The breached account was used to send a phishing email to Thamar Eilam Gindin (who is targeted by the group since 2015[26]). Below is a screenshot of the phishing email: The email contained a shortened bit.ly link to a domain registered by the attackers - drivers.document_supportsharing[.]bid. In the statistics and usage page of the bit.ly URL we can see that the first click, likely a_ test run performed by the attackers before sending the phish, was from Iran. 25 Names of victims and targets are shared with their permission. [26 See, Thamar Reservoir: http://www.clearskysec.com/thamar-reservoir/](http://www.clearskysec.com/thamar-reservoir/) Page 34 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- The phishing page pretends to be a Gmail shared document downed page that requires the visitor to log in: Page 35 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- ###### Wave 2 Sometimes the phishing email does not contain live text, but only an image of text linked to a phishing page. This is usually done to bypass text based spam filters. The attackers used WebRTC (code copied from Github[27]) to detect the real IP address of targets who use proxies (This method was documented by Iran Threats[28]): While sending the spear phishing, the attackers preformed password recovery on the target’s Facebook account, as can be seen below. Thus, she received fake emails and legitimate ones at the same time which could cause her confusion and subsequently to give her credentials in the phishing. 27 [https://github.com/diafygi/webrtc-ips/blob/master/README.md](https://github.com/diafygi/webrtc-ips/blob/master/README.md) 28 [https://iranthreats.github.io/resources/webrtc-deanonymization/](https://iranthreats.github.io/resources/webrtc-deanonymization/) Page 36 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- ###### Wave 3 The attackers often open a new Gmail account and send phishing emails from it. For example, _suspended.user.noitification@gmail.com was used to send the following email to targets:_ Which leads to: Page 37 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- In other cases, 7 different targeted phishing emails were sent to the same victim on the same day from _customers.mailservice@gmail.com:_ Page 38 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- Page 39 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- The phishing messages were sent to hundreds of recipients from a previously unknown email address: _mails.customerservices@gmail.com_ They contained a link to goo-gle[.]mobi Below are screen captures of two of the messages. The content is not copied directly from Googles original notices, as evident from the spelling and grammatical errors, some of them typical of Persian speakers, e.g. using direct speech where English would use indirect speech ("that" instead of "whether"): Page 40 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- Hamed Hashemi, an Iranian Independent researcher and photographer living in the Netherlands was targeted in this campaign. He detected the malicious emails and wrote about them in his twitter account[29] [30]: Translation: "The brothers'[31] new method for hacking e-mails. Do not be fooled by such an email". 29 [https://twitter.com/hamed_hashemi/status/869835075550162944](https://twitter.com/hamed_hashemi/status/869835075550162944) 30 [https://twitter.com/hamed_hashemi/status/869865703939219456](https://twitter.com/hamed_hashemi/status/869865703939219456) 31 I.e. people working for the IRI. Page 41 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- Translation: "Ramezān (The month of Ramadan) operation continues." Other reported receiving 6 spear phishing emails within a few minutes. For example, Soudeh Rad[32] board member at ILGAEurope[33] (an organization for human rights and equality for lesbian, gay, bisexual, trans and intersex people at European level): Translation: "What's the most important thing to do when you're under a phishing attack? Keep your calm ☺ 6 e-mails arrived within 10 minutes (saying) someone signed into your email (account), confirm your _account."_ 32 [https://twitter.com/soudehrad/status/876062478685396992](https://twitter.com/soudehrad/status/876062478685396992) 33 [https://twitter.com/ILGAEurope](https://twitter.com/ILGAEurope) Page 42 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- 34 [https://twitter.com/Behrang](https://twitter.com/Behrang) 35 [https://twitter.com/Behrang/status/855761991117484032](https://twitter.com/Behrang/status/855761991117484032) Page 43 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- Translation: “And if you click on the link but don't type your password, they send you another email. Don't fall _for "if you wait you regret" “_ Page 44 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- ###### Email tracking services The attackers often use mailtrack.io to track when phishing emails are opened. These services are often used by marketing people to monitor their campaign effectiveness. Below is the source code of a spear phishing email with a mailtrack.io tracking link: Sometimes the attackers used a similar email tracking service, by Pointofmail. In this case, the malicious email was sent from Pointofmail’s servers (this is part of their service, not due to a breach). The email contained a redirect link to legitimate address advmailservice.com: Which redirects several times, eventually reaching the malicious page: Page 45 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- ##### Targeted emails with malware Email address customers.mailservice@gmail.com was mostly used for spear phishing. Occasionally, it was used to deliver links to malware. For example, the email below linked to http://tinyurl[.]com/hjtaeak which redirected to http://login.radio-m[.[cf/i/10-unique-chocolates-in-the-world.zip. The final URL contained the same sample of DownPaper that was hosted in the fake UTC website mentioned above (be207941ce8a5e212be8dde83d05d38d). Note, that the person who “shared” the file with the target in the malicious email was indeed a Facebook friend of the target (the target shared a link by her a few hours prior to receiving this message), and the subject of chocolate was trending on the target's feed at the time. The attackers spied on the target (potentially by following her on various social networks), and crafted an email she would be likely to receive. Page 46 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- ### DownPaper Malware DownPaper, sometimes delivered as sami.exe, is a Backdoor trojan. Its main functionality is to download and run a second stage. The sample used in our analysis (3261d45051542ab3e54fa541f132f899) was contained in a Cabinet selfextractor (be207941ce8a5e212be8dde83d05d38d), served from the following URL: _http://login.radio-m[.]cf/utc/dnld.exe_ The process tree below shows dnld.exe drops sami.exe (DownPaper), which in turn runs Powershell to gain persistency: DownPaper performs the following steps: 1. Loads from a resource file a URL of a command and control server. In the sample we analyzed, the URL was “http://46.17.97[.]37/downloader/poster.php”, Base64 encoded as can be seen below: 2. Searches and reads the value of Window Update registry key in the following path: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. a. If the value is Null, a new mutex is created, called Global\UpdateCenter, and a mutex synchronization function is executed. b. If the value is different than the name of the running file, section 2.a. is executed and a function called SetStartUp is called via PowerShell to create a registry key named _Window Update with the following value:_ Page 47 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- $scriptRoot\AppData\Local\Microsoft\Windows\wuauclt.exe 3. Sends an HTTP POST request to get the location of a second stage from the command and control server. The requests contain the following fields: a. Infected computer host name b. Username c. Serial Number – Retrieved via the following query: SELECT * FROM Win32_BaseBoard 4. When a file is received, runs it in a new thread. 5. Pause for ten seconds, then repeat step 3. **Locations** _C:\Users\user1\AppData\Local\Temp\IXP000.TMP\sami.exe_ _C:\Users\user1\AppData\Local\Microsoft\Windows\wuauclt.exe_ **Assembly Details:** **PDB path:** _d:\Task\D\Task\FUD\DownPaper\trunk\Downloader\obj\Debug\wuauclt.pdb_ Page 48 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- ###### Additional samples wuauclt.exe _d6ea39e1d4aaa8c977a835e72d0975e3_ _msoffice-update[.]com_ _93.158.215.50_ _http://msoffice-update[.]com/gallery/help.php_ _C:\Users\user1\AppData\Local\Temp\IXP000.TMP\sami.exe_ _key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Window Update_ _data: C:\Users\user1\AppData\Local\Microsoft\Windows\wuauclt.exe_ **_10 unique chocolates in the world.exe_** _be207941ce8a5e212be8dde83d05d38d_ _3b4926014b9cc028d5fb9d47fee3dbd9376525dcb3b6e2173c5edb22494cfa9b_ **sami.exe** _3261d45051542ab3e54fa541f132f899_ _479e1e02d379ad6c3c7f496d705448fa955b50a1_ _C:\Users\user1\AppData\Local\Temp\IXP000.TMP\sami.exe_ _C:\Users\user1\AppData\Local\Microsoft\Windows\wuauclt.exe_ **20f2da7b0c482ab6a78e9bd65a1a3a92** _[http://msoffice-update[.]com/gallery/help.php](http://msoffice-update/)_ _d:\Task\D\Task\FUD\DownPaper\trunk\Downloader\obj\Debug\wuauclt.pdb_ ###### ax haye ayin.exe _276befa70cff36860cd97e3e19f10343_ _753b73b82ec8307f54cfb80091600fb283476aa6df7102d6af82048ef4a5913f_ _5.79.69[.]206:4455_ ###### pita.exe _60753796905458fa6a4407f48309aa25_ _53f7b95262971d79e676055d239180d653fd838dc6ffb9a3418ccad2b66c54bc_ _C:\Users\user1\AppData\Local\Temp\IXP000.TMP\pita.exe_ ###### aziii.exe _3c01793380fbd3f101603af68e96f058_ _13ac10cd2595fb8fefd4e15c1b82bd2c8e1953809f0d1c349641997aeb9f935c_ ###### Azita Gallery.exe _30124b5c56cecf2045abd24011bdf06b_ _9aa7fc0835e75cbf7aadde824c484d7dc53fdc308a706c9645878bbd6f5d3ad8_ Page 49 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- ### MAGICHOUND.RETRIEVER By pivoting off the malicious infrastructure we found a sample of MAGICHOUND.RETRIEVER, a malware which is covered in a report by Palo Alto Networks about a group they call Magic Hound[37]. The report says that Magic Hound “has primarily targeted organizations in the energy, government, and technology sectors that are either based or have business interests in Saudi Arabia”. Also, “Link analysis of infrastructure and tools […] revealed a potential relationship between Magic Hound and the adversary group called ‘Rocket Kitten’”. The last notion is in line with our findings. MAGICHOUND.RETRIEVER is a .NET downloader that retrieves secondary payloads using an embedded URL in its configuration as the C2. Below is the sample that we found. **flashplayer.exe** _9d0e761f3803889dc83c180901dc7b22_ _ecf9b7283fda023fa37ad7fdb15be4eadded4e06_ _d4375a22c0f3fb36ab788c0a9d6e0479bd19f48349f6e192b10d83047a74c9d7_ _http://update-microsoft[.]bid/img/WebService.asmx_ _http://update-driversonline[.]bid/img/WebService.asmx_ The connections between the sample and Charming Kitten’s infrastructure is depicted in the graph below: 37 [https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/](https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/) Page 50 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- ### Appendix A - Indicators of Compromise 012mail-net-uwclogin[.]ml 443[.]tcp[.]shorturlbot[.]club 874511478[.]account-login[.]net 8ghefkwdvbfdsg3asdf1[.]com account-customerservice[.]com account-dropbox[.]net account-google[.]co account-login[.]net account-logins[.]com account-log-user-verify-mail[.]com account-permission-mail-user[.]com accounts[.]account-google[.]co accounts[.]activities[.]devices[.]com[.]accounts[.]a ctivities[.]devices[.]com[.]usersettings[.]cf accounts[.]activities[.]devices[.]com[.]accounts[.]g oogle[.]com[.]usersettings[.]cf accounts[.]activities[.]devices[.]com[.]drive[.]goog le[.]com[.]usersettings[.]cf accounts[.]activities[.]devices[.]com[.]usersettings [.]cf accounts[.]google[.]com[.]accounts[.]activities[.]d evices[.]com[.]usersettings[.]cf accounts[.]google[.]com[.]accounts[.]google[.]com [.]usersettings[.]cf accounts[.]google[.]com[.]drive[.]google[.]com[.]u sersettings[.]cf accounts[.]google[.]com[.]usersettings[.]cf accountservice[.]support account-servicerecovery[.]com accounts-googelmail[.]com accounts-googelmails[.]com account-signin-myaccount-users[.]ga accounts-logins[.]net accountsrecovery[.]ddns[.]net accounts-service[.]support accountsservice-support[.]com account-support-user[.]com accounts-yahoo[.]us accountts-google[.]com account-user[.]com account-user-permission-account[.]com account-users-mail[.]com account-user-verify-mail[.]com acounts-qooqie-con[.]ml addons-mozilla[.]download ae[.]ae[.]asus-support[.]net ae[.]asus-support[.]net ae[.]bocaiwang[.]asus-support[.]net ae[.]client[.]asus-support[.]net aipak[.]org aiqac[.]org aol-mail-account[.]com apache-utility[.]com api[.]com-service[.]net app-documents[.]com app-facebook[.]co appleid[.]apple[.]com[.]account-logins[.]com araamco[.]com araamco[.]com archive-center[.]com asus-support[.]net asus-update[.]com berozkhodro[.]com blog[.]group-google[.]com bocaiwang[.]ae[.]asus-support[.]net bocaiwang[.]asus-support[.]net bocaiwang[.]bocaiwang[.]asus-support[.]net bocaiwang[.]client[.]asus-support[.]net book-archivecenter[.]bid books-archivecenter[.]bid books-archivecenter[.]club books-google[.]accountservice[.]support books-google[.]books-archivecenter[.]bid books-google[.]www[.]books-archivecenter[.]bid books-view[.]com bootstrap[.]serveftp[.]com britishnews[.]com[.]co britishnews[.]org broadcastbritishnews[.]com brookings-edu[.]in change-mail-accounting-register-single[.]com change-mail-account-nodes-permision[.]com change-permission-mail-user-managment[.]com change-user-account-mail-permission[.]com client[.]ae[.]asus-support[.]net client[.]asus-support[.]net client[.]bocaiwang[.]asus-support[.]net client[.]client[.]asus-support[.]net codeconfirm-recovery[.]bid codeconfirm-recovery[.]club com-account-login[.]com com-accountrecovery[.]bid com-accountsecure-recovery[.]name com-accountsrecovery[.]name com-archivecenter[.]work com-customeradduser[.]bid com-customerservice[.]bid com-customerservice[.]name com-customerservices[.]name com-customersuperuser[.]bid Page 51 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- com-download[.]ml com-manage-accountuser[.]club com-messagecenter[.]bid com-messengerservice[.]bid com-messengerservice[.]work com-microsoftonline[.]club com-mychannel[.]bid com-orginal-links[.]ga com-recoversessions[.]bid com-recovery[.]com com-recoveryadduser[.]bid com-recoveryidentifier[.]bid com-recoveryidentifier[.]name com-recoveryidentifiers[.]bid com-recoverymail[.]bid com-recoverysecureuser[.]club com-recoverysecureusers[.]club com-recoveryservice[.]bid com-recoveryservice[.]info com-recoverysessions[.]bid com-recoverysubusers[.]bid com-recoverysuperuser[.]bid com-recoverysuperuser[.]club com-recoverysuperuser[.]name com-recoverysuperusers[.]bid com-recoverysupport[.]bid com-recoverysupport[.]club com-service[.]net com-servicecustomer[.]bid com-servicecustomer[.]name com-servicemail[.]bid com-servicerecovery[.]bid com-servicerecovery[.]club com-servicerecovery[.]info com-servicerecovery[.]name com-servicescustomer[.]name com-serviceslogin[.]com com-showvideo[.]gq com-statistics[.]com com-stats[.]com com-video[.]net com-videoservice[.]work com-viewchannel[.]club confirm-code[.]account-support-user[.]com crcperss[.]com cvcreate[.]org digitalqlobe[.]com display-error-runtime[.]com display-ganavaro-abrashimchi[.]com docs-google[.]co documents[.]sytes[.]net documents-supportsharing[.]bid documents-supportsharing[.]club document-supportsharing[.]bid doc-viewer[.]com download[.]account-login[.]net download-google[.]com-orginal-links[.]ga download-google[.]orginal-links[.]com download-link[.]top drive[.]change-mail-account-nodespermision[.]com drive[.]google[.]com[.]accounts[.]activities[.]devic es[.]com[.]usersettings[.]cf drive[.]google[.]com[.]accounts[.]google[.]com[.]u sersettings[.]cf drive[.]google[.]com[.]drive[.]google[.]com[.]users ettings[.]cf drive[.]google[.]com[.]usersettings[.]cf drive[.]privacy-yahoomail[.]com drive-download[.]account-support-user[.]com drive-download[.]account-user-permissionaccount[.]com drive-file[.]account-support-user[.]com drive-google[.]co drive-login[.]cf drive-mail[.]account-support-user[.]com drive-permission-user-account[.]com drivers[.]document-supportsharing[.]bid drives-google[.]co drives-google[.]com drives-google[.]com[.]co drive-useraccount-signin-mail[.]ga dropbox[.]com-servicecustomer[.]name dropbox[.]com-servicescustomer[.]name drop-box[.]vip dropebox[.]co embraer[.]co emiartas[.]com error-exchange[.]com eursaia[.]org facebook[.]com-service[.]gq facebook[.]notification-accountrecovery[.]com fanderfart22[.]xyz fardenfart2017[.]xyz fb[.]com-download[.]ml fb-login[.]cf ftp[.]account-logins[.]com ftp[.]account-permission-mail-user[.]com ftp[.]accountservice[.]support ftp[.]accountsservice-support[.]com ftp[.]archive-center[.]com ftp[.]britishnews[.]com[.]co ftp[.]com-recoveryservice[.]info ftp[.]com-service[.]net ftp[.]goo-gle[.]cloud ftp[.]goo-gle[.]mobi Page 52 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- ftp[.]microsoft-upgrade[.]mobi ftp[.]news-onlines[.]info ftp[.]officialswebsites[.]info ftp[.]orginal-links[.]com ftp[.]screen-royall-in-corporate[.]com ftp[.]screen-shotuser-trash-green[.]com ftp[.]sdfsd[.]screen-royall-in-corporate[.]com ftp[.]service-broadcast[.]com ftp[.]service-recoveryaccount[.]com ftp[.]set-ymail-user-account-permissionchallenge[.]com ftp[.]support-aasaam[.]com ftp[.]support-recoverycustomers[.]com ftp[.]uk-service[.]org ftp[.]verify-account[.]services ftp[.]w3schools-html[.]com ftp[.]www[.]britishnews[.]com[.]co ftp[.]www[.]screen-shotuser-trash-green[.]com gle-mail[.]com gmail[.]com-recoverymail[.]bid gmail[.]com-u6[.]userlogin[.]securitylogin[.]activity[.]com-verification-accounts[.]com gmail-recovery[.]ml gmal[.]cf goog-le[.]bid goo-gle[.]bid goo-gle[.]cloud google[.]mail[.]com-servicecustomer[.]bid google[.]mail[.]mail[.]google[.]comservicecustomer[.]bid google[.]mail[.]www[.]com-servicecustomer[.]bid goo-gle[.]mobi google-drive[.]account-servicerecovery[.]com google-drive[.]accounts-service[.]support google-drive[.]account-support-user[.]com google-drive[.]com[.]accountservice[.]support google-drive[.]service-recoveryaccount[.]com google-hangout[.]accountservice[.]support google-hangout[.]accounts-service[.]support google-hangout[.]account-support-user[.]com google-hangout[.]verify-account[.]services google-mail[.]com[.]co googlemail[.]com-customersuperuser[.]bid google-mail-recovery[.]com googlemails[.]co google-profile[.]com google-profiles[.]com google-setting[.]com google-verification[.]com google-verify[.]com google-verify[.]net hangout[.]com-messagecenter[.]bid hangout[.]messageservice[.]club help-recovery[.]com hot-mail[.]ml hqr-mail[.]nioc-intl[.]account-user-permissionaccount[.]com id-bayan[.]com iforget-memail-user-account[.]com iranianuknews[.]com ir-owa-accountservice[.]bid itunes-id-account[.]users-login[.]com k2intelliqence[.]com k2intelliqence[.]com komputertipstrik[.]com-customeradduser[.]bid line-en[.]me log[.]account[.]accountservice[.]support login[.]com-service[.]net login[.]radio-m[.]cf login-account[.]net login-account-google[.]orginal-links[.]com login-account-mail[.]com login-again[.]ml login-mail[.]account-servicerecovery[.]com login-mail[.]verify-account[.]services login-mails[.]account-servicerecovery[.]com login-mails[.]accounts-service[.]support login-mails[.]account-support-user[.]com login-mails[.]verify-account[.]services login-required[.]ga login-required[.]ml login-required[.]tk logins-mails[.]account-customerservice[.]com logins-mails[.]account-servicerecovery[.]com logins-mails[.]accounts-service[.]support logins-mails[.]accountsservice-support[.]com logins-mails[.]com-servicecustomer[.]name logins-mails[.]service-recoveryaccount[.]com login-webmail[.]accounts-service[.]support login-webmail[.]account-support-user[.]com login-webmail[.]verify-account[.]services logn-micrsftonine-con[.]ml m[.]com-service[.]net mail[.]account-google[.]co mail[.]com-service[.]net mail[.]google[.]com-customerservice[.]name mail[.]google[.]com-customerservices[.]name mail[.]google[.]com-recoveryservice[.]info mail[.]google[.]com-servicecustomer[.]bid mail[.]google[.]com-servicescustomer[.]name mail[.]google[.]mail[.]google[.]comservicecustomer[.]bid mail[.]google[.]www[.]com-servicecustomer[.]bid mail[.]google[.]www[.]dropbox[.]comservicescustomer[.]name mail[.]group-google[.]com Page 53 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- mail[.]mehrnews[.]info mail[.]orginal-links[.]com mail[.]yahoo[.]com-servicecustomer[.]name mail[.]youtube-com[.]watch mail3[.]google[.]com-servicecustomer[.]name mail-account-register-recovery[.]com mailgate[.]youtube-com[.]watch mailgoogle[.]com-recoveryidentifier[.]bid mailgoogle[.]com-recoverymail[.]bid mailgoogle[.]com-recoveryservice[.]bid mailgoogle[.]com-recoverysuperuser[.]bid mailgoogle[.]com-recoverysupport[.]bid mail-google[.]com-servicecustomer[.]name mailgoogle[.]com-servicerecovery[.]bid mail-inbox[.]account-support-user[.]com mail-login[.]account-login[.]net mail-login[.]accountservice[.]support mail-login[.]account-servicerecovery[.]com mail-login[.]service-recoveryaccount[.]com mail-login[.]verify-account[.]services mail-macroadvisorypartners[.]ml mails[.]com-servicerecovery[.]name mails-account-signin-users-permssion[.]com mailscustomer[.]recovery-emailcustomer[.]com mailssender[.]bid mail-user-permission-sharedaccount[.]com mail-usr[.]account-support-user[.]com mail-verify[.]account-support-user[.]com mail-yahoo[.]com[.]co market-account-login[.]net me[.]youtube[.]com-mychannel[.]bid mehrnews[.]info messageservice[.]bid messageservice[.]club mfacebook[.]login-required[.]ga microsoft-hotfix[.]com microsoft-update[.]bid microsoft-upgrade[.]mobi microsoft-utility[.]com msoffice-update[.]com mx1[.]group-google[.]com my[.]youtube[.]com-mychannel[.]bid myaccount-login[.]net mychannel[.]ddns[.]net mychannel[.]ddns[.]net mydrives[.]documents-supportsharing[.]bid myemails[.]com-recoverysuperuser[.]name my-healthequity[.]com mymail[.]com-recoveryidentifiers[.]bid mymail[.]com-recoverysuperuser[.]name my-mailcoil[.]ml mymails[.]com-recoverysuperuser[.]bid mymails[.]com-recoverysuperuser[.]name myscreenname[.]bid news-onlines[.]info nex1music[.]ml notification-accountrecovery[.]com ns1[.]check-yahoo[.]com ns1[.]com-service[.]net ns2[.]check-yahoo[.]com nvidia-support[.]com nvidia-update[.]com officialswebsites[.]info official-uploads[.]com ogin-mails[.]accounts-service[.]support onedrive-signin[.]com onlinedocument[.]bid onlinedocuments[.]org onlinedrie-account-permission-verify[.]com onlineserver[.]myftp[.]biz online-supportaccount[.]com orginal-links[.]com outlook-livecom[.]bid owa-insss-org-ill-owa-authen[.]ml paypal[.]com[.]webapp[.]logins-mails[.]servicerecoveryaccount[.]com paypal[.]com[.]webapp[.]paypal[.]com[.]webapp[. ]service-recoveryaccount[.]com paypal[.]com[.]webapp[.]servicerecoveryaccount[.]com picofile[.]xyz policy-facebook[.]com pop[.]group-google[.]com privacy-facebook[.]com privacy-gmail[.]com privacy-yahoomail[.]com profile[.]facebook[.]accountservice[.]support profile[.]facebook[.]notificationaccountrecovery[.]com profile-facebook[.]co profiles-facebook[.]com profile-verification[.]com qet-adobe[.]com radio-m[.]cf raykiel[.]net recoverycodeconfirm[.]bid recovery-customerservice[.]com recovery-emailcustomer[.]com recoverysuperuser[.]bid register-multiplay[.]ml reset-login[.]accountservice[.]support reset-login[.]account-support-user[.]com reset-login-yahoo-com[.]account-supportuser[.]com reset-mail[.]account-support-user[.]com Page 54 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- reset-mail-yahoo-com[.]account-supportuser[.]com resets-mails[.]account-support-user[.]com result2[.]com-servicescustomer[.]name result2[.]www[.]dropbox[.]comservicescustomer[.]name sadashboard[.]com saudiarabiadigitaldashboards[.]com saudi-government[.]com saudi-haj[.]com screen-royall-in-corporate[.]com screen-shotuser-trash-green[.]com sdfsd[.]screen-royall-in-corporate[.]com sdfsd[.]screen-shotuser-trash-green[.]com security-supportteams-mail-change[.]ga service-accountrecovery[.]com service-broadcast[.]com servicecustomer[.]bid servicelogin-mail[.]account-servicerecovery[.]com service-logins[.]net servicemailbroadcast[.]bid service-recoveryaccount[.]com set-ymail-user-account-permissionchallenge[.]com shared-access[.]com shared-login[.]com shared-permission[.]com shop[.]account-dropbox[.]net shorturlbot[.]club show[.]video-youtube[.]cf show-video[.]info slmkhubi[.]ddns[.]net smstagram[.]com smtp[.]com-service[.]net smtp[.]group-google[.]com smtp[.]youtube-com[.]watch sports[.]accountservice[.]support sprinqer[.]com support[.]account-google[.]co support-aasaam[.]bid support-aasaam[.]com support-accountsrecovery[.]com support-google[.]co support-recoverycustomers[.]com supports-recoverycustomers[.]com support-verify-account-user[.]com tadawul[.]com[.]co tai-tr[.]com tcp[.]shorturlbot[.]club team-speak[.]cf team-speak[.]ga team-speak[.]ml teamspeak-download[.]ml teamspeaks[.]cf telagram[.]cf test[.]service-recoveryaccount[.]com token-ep[.]com uk-service[.]org update-checker[.]net update-driversonline[.]bid update-driversonline[.]club update-finder[.]com update-microsoft[.]bid updater-driversonline[.]club update-system-driversonline[.]bid uploader[.]sytes[.]net upload-services[.]com uri[.]cab us[.]battle[.]net[.]cataclysm[.]accountlogins[.]com usersettings[.]cf users-facebook[.]com users-login[.]com users-yahoomail[.]com utc[.]officialswebsites[.]info utopaisystems[.]net verify-account[.]services verify-accounts[.]info verify-facebook[.]com verify-gmail[.]tk verify-your-account-information[.]userslogin[.]com video[.]yahoo[.]com[.]accountservice[.]support video[.]yahoo[.]com-showvideo[.]gq video[.]youtube[.]com-showvideo[.]ga video-mail[.]account-support-user[.]com video-yahoo[.]accountservice[.]support video-yahoo[.]account-support-user[.]com video-yahoo[.]com[.]accountservice[.]support video-youtube[.]cf w3sch00ls[.]hopto[.]org w3school[.]hopto[.]org w3schools[.]hopto[.]org w3schools-html[.]com watch-youtube[.]org[.]uk webmaiil-tau-ac-il[.]ml webmail-login[.]accountservice[.]support webmail-tidhar-co-il[.]ml wildcarddns[.]com-service[.]net windows-update[.]systems wp[.]com-microsoftonline[.]club ww2[.]group-google[.]com ww62[.]group-google[.]com ww62[.]mx1[.]group-google[.]com ww92[.]group-google[.]com xn--googe-q2e[.]ml Page 55 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- yahoo[.]com[.]accountservice[.]support yahoo-proflles[.]com yahoo-verification[.]net yahoo-verification[.]org yahoo-verify[.]net youetube[.]ga yourl[.]bid youttube[.]ga youttube[.]gq youtubbe[.]cf youtubbe[.]ml youtube[.]com[.]login-account[.]net youtube[.]com-service[.]gq youtube-com[.]watch youtubee-videos[.]com youtubes[.]accounts[.]com-serviceslogin[.]com youtuebe[.]co youtuobe[.]com[.]co youutube[.]cf yurl[.]bid admin@doc-viewer.com admin@dropebox.co admin@screen-royall-in-corporate.com admin@screen-shotuser-trash-green.com anita.jepherson@gmail.com aryaieiran@gmail.com aryaieiran@gmail.com bahra.azadeh88@gmail.com cave.detector@yandex.com cave.detector@yandex.com center2016@yandex.com chada.martini@yandex.com chada.martini@yandex.com cool.hiram@yandex.com customers.mailservice@gmail.com customers.noreplyservice@gmail.com international.research@mail.com isabella.careyy@gmail.com isabella.careyy@gmail.com john.lennon@uymail.com jully.martin@yandex.com jully.martin@yandex.com mails.customerservices@gmail.com martin.switch911@gmail.com martin.switch911@gmail.com message.intercom@gmail.com message.intercom@gmail.com nami.rosoki@gmail.com online.nic@yandex.com online.nic@yandex.com rich.safe@yandex.com rskitman@gmail.com sali.rash@yandex.com sali.rash@yandex.com service.center2016@yandex.com service.center2016@yandex.com suspended.user.noitification@gmail.com yaffa.hyatt9617@gmail.com 107.150.38.19 107.150.60.156 107.150.60.158 107.6.179.131 136.243.108.100 136.243.221.148 136.243.226.189 137.74.131.208 137.74.148.218 144.76.97.61 144.76.97.62 145.239.120.88 149.56.135.42 149.56.201.205 158.255.1.34 164.132.251.217 164.132.29.69 173.208.129.180 173.244.180.131 173.244.180.132 173.244.180.133 173.244.180.134 173.45.108.55 173.90.180.125 178.33.38.128 185.117.74.165 185.141.24.64 185.141.24.66 185.82.202.174 192.99.127.216 194.88.107.63 204.12.207.108 204.12.207.110 204.12.242.84 204.12.242.85 207.244.77.15 207.244.79.143 207.244.79.144 207.244.79.147 207.244.79.148 208.110.73.219 208.110.73.220 208.110.73.221 208.110.73.222 209.190.3.113 209.190.3.114 209.190.3.115 209.190.3.41 Page 56 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- 209.190.3.42 209.190.3.43 213.152.173.198 213.32.11.30 213.32.49.232 217.23.3.158 217.23.5.166 31.3.236.90 31.3.236.91 31.3.236.92 37.220.8.13 46.17.97.240 46.17.97.243 46.17.97.37 46.17.97.40 5.152.202.51 5.152.202.52 5.79.105.153 5.79.105.156 5.79.105.161 5.79.105.165 5.79.69.198 51.254.254.217 51.255.28.57 54.36.217.8 69.30.221.126 69.30.224.244 69.30.224.245 81.171.25.229 81.171.25.232 85.17.172.170 86.105.1.111 91.218.245.251 92.222.206.208 93.158.200.170 93.158.215.50 93.158.215.52 94.23.90.226 00b5d45433391146ce98cd70a91bef08 07fb3f925f8ef2c53451b37bdd070b55 0a3f454f94ef0f723ac6a4ad3f5bdf01 0e3cb289f65ef5faf40fa830ac9b1bf6 1c00fd5e1ddd0226bd854775180fd361 1db12ec1f335ee5995b29dea360514a2 20f2da7b0c482ab6a78e9bd65a1a3a92 253b4f5c6611a4bc9c7f5269b127c8e9 3261d45051542ab3e54fa541f132f899 356439bfb9b2f49858897a22dd85df86 365482f10808ddd1d26f3dc19c41c993 3bb2f304a59255dddc5ef6bb0a32aec7 3edec580845d7ab85fa893afb391fbfb 5e9a458dcdfc9d2ce996081ec87c30e0 5ec9f484603b89f80f351bb88279ebb1 6bd505616e12e3dd7f2287f24f34609f 6cfa579dd1d33c2fa42d85c2472f744c 7df3a83dfcce130c01aabede3cfe8140 7e1cf48d84e503499c9718c50e7a1c52 9c7ae44baf8df000bb614738370d1171 9d0e761f3803889dc83c180901dc7b22 a43b7cc495741248f3647e647f776467 a9117da1cb51adbc88a52a6e3b16a6c4 ae797446710e375f0fc9a33432d64256 af5c01a7a3858bc3712ab69bc673cec4 bd0a6fe7a852fdd61c1da37cf99103d2 be207941ce8a5e212be8dde83d05d38d bfd21f2847c1d7aa0f409ef52ed52e05 c7760dc8f7baf67f80ab549af27df9e9 c96453247ee1ecbd4053da8bbb4cf572 ccaf21e122ca9d2e2397a9e28eb4cc87 d6ea39e1d4aaa8c977a835e72d0975e3 d6fa439f0278babb1edff32d8dc31c59 da1f6a5f2a5564c2131b4a311c55f487 e7dd9b8fe7ae14faad304d139f71b629 e93992f26f224ea53d9bdd9564e8e1c0 edd4011696ddd349575278aed7031a47 f5763b8b796b1c5d04febcc65f853967 f7f9806af42adb80d100e55f35cfa86c f9255e0d492eb20df1e78ccc970b121a fac158623b0e3ed3bea6e24b1795cb95 479e1e02d379ad6c3c7f496d705448fa955b50a1 67bb83bbe82ffa910386216619c5ebf9eecf13e6 6cacf83033fa97f4ac27eb27e4aa265afa4dc51d a2f17906ca39e7f41a8adeea4be5ffb7d1465c4a c5ea8680162d3e8bc3d71c060c15bf224c873f7a d97b13ed0fe3e41b60b9d45b6e7f68c9b6187b96 eac4a47f238ee62661f464a807b3e0b5079b835f ecf9b7283fda023fa37ad7fdb15be4eadded4e06 19c0977fdbc221f7d6567fb268a4ef4cd2a759fcbc1 039a82366978089f080d2 1a24714fd99030bd63804ab96fc2612f148a5f08d1 c2845152c3a0e168600db9 261c5f32abb8801576ce81be2c66bca564a8a28ab 5ea0954bad6bac7071e299b 2c92da2721466bfbdaff7fedd9f3e8334b688a88ee 54d7cab491e1a9df41258f 2db1e2c49ff0792b54d84538c9a420de7aa619602 b66add502e2b6ea7c79fd4b 4fff9cd7f5f4c9048cfaf958a54cc4c4bc14c9fdbfd63 e2c17f79913f0ea8c21 6618051ea0c45d667c9d9594d676bc1f4adadd8cb 30e0138489fee05ce91a9cb 8aff94ceb2fed8ba864df929fbbec3dd82cbd968c5 b2f42971fb756d1ba1ecb6 a86ccf0049be20c105e2c087079f18098c739b86d5 2acb13f1d41f1ccc9f8e1c Page 57 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- acca9f004a596ea33af65725c2319bf845a442ee9fa 09c511d359df2f632cf4d b0b177d06fb987429f01d937aaa1cbb7c93a69cfae f146b60f618f8ab26fac38 d4375a22c0f3fb36ab788c0a9d6e0479bd19f48349 f6e192b10d83047a74c9d7 d7e1d13cab1bd8be1f00afbec993176cc116c2b233 209ea6bd33e6a9b1ec7a7f d7f2b4188b7c30c1ef9c075891329dbcf8e9b5ebac 1ef8759bc3bb2cf68c586f d84e808e7d19a86bea3862710cae1c45f7291e984 c9857d0c86881812674d4bb e6cd39cf0af6a0b7d8129bf6400e671d5fd2a3797b 92e0fe4a8e93f3de46b716 Page 58 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 ----- ### Appendix B - Previous reports about Charming Kitten ### and Rocket Kitten Rocket Kitten: - rocket kitten: a campaign with 9 lives - Check Point Blog[38] - LONDON CALLING Two-Factor Authentication Phishing From Iran[39] - Thamar Reservoir – An Iranian cyber-attack campaign against targets in the Middle East[40] - Rocket Kitten Showing Its Claws: Operation Woolen-GoldFish and the GHOLE campaign[41] - The Kittens Strike Back: Rocket Kitten Continues Attacks on Middle East Targets[42] - Increased Use of Android Malware Targeting Journalists[43] - Iran and the Soft War for Internet Dominance[44] Charming Kitten: - iKittens: Iranian Actor Resurfaces with Malware for Mac (MacDownloader)[45] - Fictitious Profiles and WebRTC’s Privacy Leaks Used to Identify Iranian Activists[46] - Freezer Paper around Free Meat[47] 38 [https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf](https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf) 39 [https://citizenlab.ca/2015/08/iran_two_factor_phishing/](https://citizenlab.ca/2015/08/iran_two_factor_phishing/) 40 [http://www.clearskysec.com/thamar-reservoir/](http://www.clearskysec.com/thamar-reservoir/) [41https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-](https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing) [phishing](https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing) 42 [https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/rocket-kitten-continues-attacks-on-middle-east-](https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/rocket-kitten-continues-attacks-on-middle-east-targets) [targets](https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/rocket-kitten-continues-attacks-on-middle-east-targets) 43 [https://iranthreats.github.io/resources/android-malware/](https://iranthreats.github.io/resources/android-malware/) 44 [https://iranthreats.github.io/us-16-Guarnieri-Anderson-Iran-And-The-Soft-War-For-Internet-Dominance-paper.pdf](https://iranthreats.github.io/us-16-Guarnieri-Anderson-Iran-And-The-Soft-War-For-Internet-Dominance-paper.pdf) 45 [https://iranthreats.github.io/resources/macdownloader-macos-malware/](https://iranthreats.github.io/resources/macdownloader-macos-malware/) 46 [https://iranthreats.github.io/resources/webrtc-deanonymization/](https://iranthreats.github.io/resources/webrtc-deanonymization/) 47 [https://securelist.com/freezer-paper-around-free-meat/74503/](https://securelist.com/freezer-paper-around-free-meat/74503/) Page 59 of 59 ©All rights reserved to ClearSky Cyber Security, 2017 -----