##### CYBER THREAT ANALYSIS By Insikt Group® **IRAN** August 20, 2024 # GreenCharlie Infrastructure Linked to US Political Campaign Targeting **Insikt Group has discovered a cluster** **GreenCharlie’s victimology includes** **GreenCharlie highly likely operates at** **of malicious network infrastructure** **research and policy analysts,** **the behest of the Islamic Revolutionary** **used by Iran-backed GreenCharlie,** **government officials, diplomats,** **Guard Corps’ Intelligence Organization** which is reportedly linked to malware **and high-value strategic targets.** **(IRGC-IO), and has overlaps with Mint** used in the recent targeting of US Sandstorm, Charming Kitten, and TA453. ----- - From May 2024 onward, GreenCharlie registered a large number of dynamic DNS (DDNS) domains that have highly likely been used for targeted social engineering and phishing operations. - Insikt Group has established a direct infrastructure link between GreenCharlie clusters and malware referred to in open sources as GORBLE, which is reportedly linked to the targeting of US political candidates. 1 CTA-IR-2024-0820 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- - Analysis of Recorded Future Network Intelligence indicates that GreenCharlie threat actors likely used ProtonVPN or ProtonMail to enable their operations. - Iranian IP addresses were identified communicating with GreenCharlie infrastructure, which is likely part of the operation’s spearphishing component. - GreenCharlie’s victimology includes research and policy analysts, government officials, diplomats, and high-value strategic targets. While Insikt Group has not identified direct evidence of the targeting of US government and political campaign officials, open-source reporting has enabled us to establish a credible link. - GreenCharlie highly likely operates at the behest of the Islamic Revolutionary Guard Corps (IRGC); due to its persistent and strategic remit, it is also likely to be associated with the Intelligence Organization of the IRGC (IRGC-IO). 2 CTA-IR-2024-0820 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Threat Analysis #### Infrastructure Analysis GreenCharlie infrastructure detections enable progressive tracking of threat activity believed to overlap with infrastructure used to deliver malware such as POWERSTAR, NokNok, and GorjolEcho, in addition to enabling social engineering and phishing attacks. Since May 2024, we observed the group register multiple dynamic DNS (DDNS) domains using a variety of providers that include Dynu, DNSEXIT, Vitalwerks, Cloud DNS, FreeDNS, and Dia Systems. GreenCharlie hosted most of the identified infrastructure in small clusters. However, in specific circumstances, domains uniquely resolved to IP addresses owned by different infrastructure providers. The majority of the infrastructure identified as part of this research was hosted on Scalaxy B.V. (AS58061) infrastructure. We also identified GreenCharlie infrastructure that used the OVHcloud (AS16276), Worldstream, NL (AS49981), M247 (AS9009), and Podaon SIA (AS211381) providers for hosting. Insikt Group has continued to track GreenCharlie threat clusters since we last reported on the threat group in May 2024. We observed that GreenCharlie continues to register infrastructure via the Namecheap registrar (much of which is highly likely active) using themes that overlap with cloud platforms, file sharing services, document visualization services, video conferencing, and authentication-themed domains. These include domains that use terms like “cloud”, “uptimezone”, “doceditor”, ”joincloud”, and “pageviewer”, among others. GreenCharlie uses a multitude of top-level domains (TLDs) for domain registration. In the past we have detected .xyz, .icu, .network, .online, and .site domain clusters registered by the group. As it pertains to the cluster in this report, the majority were registered using the .info TLD. According to Recorded Future datasets, as well as DomainTools, GreenCharlie threat actors used WHOIS privacy protection to obfuscate registration details. 3 CTA-IR-2024-0820 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 4 CTA-IR-2024-0820 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- - _37.148.63[.]24_ - _93.119.48[.]60_ - _5.106.153[.]245_ - _5.106.169[.]235_ - _5.106.185[.]98_ - _5.106.202[.]101_ - _5.106.219[.]243_ 5 CTA-IR-2024-0820 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 6 CTA-IR-2024-0820 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 7 CTA-IR-2024-0820 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 8 CTA-IR-2024-0820 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 9 CTA-IR-2024-0820 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- |SHA256 Hash|C2 Domain|IP Address|First Seen| |---|---|---|---| |n/a|coldwarehexahash.dns-dynamic[.]net|38.180.123[.]231|2024-08-14| |n/a|readquickarticle.dns-dynamic[.]net|38.180.123[.]231|2024-08-14| |n/a|uptime-timezone.dns-dynamic[.]net|38.180.123[.]231|2024-07-20| |c3486133783379e13ed37 c45dc6645cbee4c1c6e62 e7988722931eef99c8eaf3|translatorupdater.dns-dynamic[.]net|38.180.123[.]113|2024-06-16| 10 CTA-IR-2024-0820 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 11 CTA-IR-2024-0820 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix A — Indicators of Compromise 12 CTA-IR-2024-0820 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 13 CTA-IR-2024-0820 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 14 CTA-IR-2024-0820 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix B — Mitre ATT&CK Techniques |Appendix B — Mitre ATT&CK Techniques|Col2| |---|---| |Tactic: Technique|ATT&CK Code| |Resource Development: Acquire Infrastructure: Domains|T1583.001| |Resource Development: Establish Accounts: Email Accounts|T1585.002| |Initial Access: Spearphishing Attachment|T1566.001| |Initial Access: Spearphishing Link|T1566.002| |Execution: Command and Scripting Interpreter: PowerShell|T1059.001| |Execution: Command and Scripting Interpreter: Unix Shell|T1059.004| |Persistence: Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder|T1547.001| |Persistence: Scheduled Task/Job: Scheduled Task|T1053.005| |Discovery: System Information Discovery|T1082| |Discovery: Process Discovery|T1057| |Command and Control: Application Layer Protocol: Web Protocols|T1071.001| 15 CTA-IR-2024-0820 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- _Recorded Future reporting contains expressions of likelihood or probability consistent_ _[with US Intelligence Community Directive (ICD) 203: Analytic Standards (published](https://irp.fas.org/dni/icd/icd-203.pdf)_ _January 2, 2015). Recorded Future reporting also uses confidence level standards_ _[employed by the US Intelligence Community to assess the quality and quantity of the](https://www.dni.gov/files/ODNI/documents/assessments/ICA-declass-16MAR21.pdf)_ _source information supporting our analytic judgments._ _About Insikt Group[®]_ _Recorded Future’s Insikt Group, the company’s threat research division, comprises_ _analysts and security researchers with deep government, law enforcement, military, and_ _intelligence agency experience. Their mission is to produce intelligence that reduces risk_ _for clients, enables tangible outcomes, and prevents business disruption._ _About Recorded Future[®]_ _Recorded Future is the world’s largest threat intelligence company. Recorded Future’s_ _Intelligence Cloud provides end-to-end intelligence across adversaries, infrastructure,_ _and targets. Indexing the internet across the open web, dark web, and technical_ _sources, Recorded Future provides real-time visibility into an expanding attack surface_ _and threat landscape, empowering clients to act with speed and confidence to reduce_ _risk and securely drive business forward. Headquartered in Boston with offices and_ _employees around the world, Recorded Future works with over 1,800 businesses and_ _government organizations across more than 75 countries to provide real-time, unbiased,_ _and actionable intelligence._ _risk and securely drive business forward. Headquartered in Boston with offices and_ _employees around the world, Recorded Future works with over 1,800 businesses and_ _government organizations across more than 75 countries to provide real-time, unbiased,_ _and actionable intelligence._ _Learn more at recordedfuture.com_ 16 CTA-IR-2024-0820 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) -----