# The Kittens Are Back in Town 2
## Charming Kitten Campaign Keeps Going on,
 Using New Impersonation Methods 

### October 2019

#### TLP:WHITE


-----

#### Table of Content

Introduction ................................................................................................................. 3
About Charming Kitten .................................................................................................. 4
Attack Vector ............................................................................................................... 5
Impersonation Vectors .................................................................................................. 5 First Vector -A message with a link pretending to be Google Drive.................................................5

Second Vector –An SMS message........................................................................................................9
Third Vector –Login attempt alert message.....................................................................................10
Fourth Vector –Social Networks imperonation...............................................................................11

Digital Infrastructure ................................................................................................... 14
Indicators of Compromise ............................................................................................ 17


-----

#### Introduction On the 15thof September 2019, wehave published a report1about a sharp increase in Charming Kitten attacksagainst researchers from the US, Middle East, and France, focusing on Iranian academic researchers, Iranian dissidents in the US. In our last report, we exposed a new cyber espionage campaignthat was conductedon July 2019. Sincethen, we observed another wave ofthese attacks, leveraging new impersonating vectors and IOCs.Until these days, Iran was not known as a country who tends to interfere in elections around the world.From a historical perspective, this type of cyber activitieshad been attributed mainly to the Russian APT groups such as APT28 (known as Fancy Bear). The group is infamous for hacking American Democratic National Committee emails and targeting German and French campaign members, in an attempt to circumvent the elections in the US, Germany and France. Microsoft’s Octoberannouncement exposes, for first time, that Charming Kitten, an Iranian APT group, plays a role in the domain of cyber-attacks forthe purpose ofinterfering with democratic procedures.On 4thof October 20192, Microsofthasannounced that Phosphorus(known as Charming Kitten)attemptedto attack email accountsthat are associated with the following targets: U.S. presidential campaign, current and former U.S. government officials, journalists covering global politics,and prominent Iranians living outside Iran. Thesespear-phishingattackswere conductedby Charming Kitten inAugust and September.We evaluate ina medium-high level of confidence, that Microsoft’s discoveryand our findingsin our previous and existing reportsis a congruent operation, based on the following issues:1.

Same victim profiles–In both cases, the victims were individuals of interest to Iran in the fields of academic research, human rights, opposition to the Islamic Republic of Iran's regime (such as NIAC) and journalists. Although the congruent is not exactly similar, our sample is mainly based on Israeli victims.2.

Time overlapping–In our latest report, we mentioned that wehaveobserved an escalation of the attacks in July-August 2019. In their announcement, Microsoft mentioned that the attacks occurred on ‘In a 30-day periodbetween August and September’.3.

Similar attack vectors–In both cases, Charming Kitten used similar attack vectors which are:a.

Password recovery impersonationof the secondary emailbelonging to the victims in both cases.b.

Both attack vectors used spear-phishing emails in order to targetMicrosoft, Google and Yahoo services. c.

In our research, we identified spear-phishing attack via SMS messages, indicating that Charming Kitten gather phone numbers of the relevant victim. Microsoft foundthatCharming Kitten gather phone numbersforpassword recovery and two-factor authenticationsof the relevant victims to gain control to their email accounts. In this report, we uncoveredfournew spear-phishing methods used by this group, alongside with newindicators of this operation.

1 [https://www.clearskysec.com/the-kittens-are-back-in-town/](https://www.clearskysec.com/the-kittens-are-back-in-town/)
2 https://blogs.microsoft.com/on-the-issues/2019/10/04/recent-cyberattacks-require-us-all-to-be-vigilant/


-----

#### About Charming Kitten Charming Kitten, also known as APT35or Ajaxor Phosphorus,is an Iranian cyber-espionage group activesince 20143.This APTisassociated with the Ministry of Intelligence of Iran.In our previous report, we made an attacktimeline. Below is akey event timeline:

See corresponding footnote for relevant references[4].

3https://attack.mitre.org/groups/G0058/

4 2015 - [https://www.clearskysec.com/thamar-reservoir/](https://www.clearskysec.com/thamar-reservoir/)
2017 - https://www.clearskysec.com/charmingkitten/
[2018 - https://www.bleepingcomputer.com/news/security/iranian-apt-poses-as-israeli-cyber-](https://www.bleepingcomputer.com/news/security/iranian-apt-poses-as-israeli-cyber-security-firm-that-exposed-its-operations/)
[security-firm-that-exposed-its-operations/](https://www.bleepingcomputer.com/news/security/iranian-apt-poses-as-israeli-cyber-security-firm-that-exposed-its-operations/)
[March 2019 - https://noticeofpleadings.com/phosphorus/files/Complaint.pdf](https://noticeofpleadings.com/phosphorus/files/Complaint.pdf)
[September 2019 – https://www.clearskysec.com/the-kittens-are-back-in-town/](https://www.clearskysec.com/the-kittens-are-back-in-town/)
October 2019 - https://blogs.microsoft.com/on-the-issues/2019/10/04/recent-cyberattacks-requireus-all-to-be-vigilant/ 2015•ClearSkydiscovered the first wave of phishing attacks, named "Thamar reservoir".2017•ClearSkyexposed a vast espinage operation against Iranian experts working in the academy, human rights activists and media personnel.2018•Charming Kitten attempted to attack ClearSky and our customers directly via a fraudulent website impersonating the ClearSky portal.•ClearSkyidentified new wave of attacks against researchers in the Middle East, using fake emails and look-alike websites. 2019•March-Microsoft filed an official complaint against the group for “establishing an internet-based cyber theft operation referred to as 'Phosphorus'.”•September-ClearSkypublished a report about a sharp increase in Charming Kitten attacks. It appears that group has initiated a new cyber espionage campaign comprised of two stages.•October-Microsoftannounced that ‘the group is making attempts to identify consumer email accounts belonging to specific Microsoft customers, including a US Presidential Candidate. ClearSkyexposed new impersonation vectors.


-----

#### Attack Vector Charming Kitten keep trying to attack their victims with spear-phishing methods. We observed an escalation inthe volume of phishingattempts. It can be divided into threeattack platforms-1.

The first platformis sending an email message leveraging social engineering methods. 2.

The second platform includesimpersonation ofsocial media websites, such as Facebook, Twitter and Instagram, as well as using these social medias to spreadmalicious links. Clearsky has observed a few social media entitiesthat contactedtheir victims on these platforms in order to infect them via malicious websites.3.

The third platformis sending SMS messages to the cellularphone of the victim.

#### Impersonation Vectors Analyzing this campaign, we identified four impersonation vectors that Charming Kitten usesin their recent attacks. Based on our investigation, Charming Kitten tried to carryout all of these vectorsagainstthe same victims,andin some cases a few of thoseon the same day.

##### First Vector - A message with a link pretending to be Google Drive During the first impersonation vector the attacked will receive an email with a link to Google Sites from an acquaintance; for example –a research fellow. Through this vector, the victim is tempted to download a file located at the addressing fellow's Google Sites, and thus collect the victim's Google credentials.The phishing message that impersonated Google Drive serviceunder the title ‘Middle East Article’The link shown above leads to a site built with the Google Sites platform. Additionally, the domain from which the link was allegedly shared is gmail.com, whereas the domain which should appear while sharing Google Sites' sites is google.com; Also, the sharing message should be sent from an address which contains 'noreply', and not the sender's address. For acorrectsample of a Google Sites' sitesharing message, see below:Correct Google Site’s sharing message –the sender’s email is ‘drive-shares-noreplay@google.com’


-----

-----

-----

Drive). Another social engineering technique is to identify the Google Site from which the victim was directed and to pair the phishing page with its (the site's) email. In other words, the victim receives an email from the attacker with a link which was prepared for them personally. Identifying the attack –at the address line, the victim's email appears, and if it will be changed, the email presented at the site will change as well.


-----

##### Second Vector – An SMS message Through this vector, the victim will receive an SMS message which uses a Sender ID of 'Live Recover' and contains an alert about a stranger, who has attempted to compromise the victim's email, and the victim has to verify it through an attached link. The link will lead to the address shortening service presented earlier. Notice that the victim in the following example has received two messages with different links:


-----

##### Third Vector – Login attempt alert message The attackers try to present a sham show about a North Koreanattacker who has attempted to compromise the victim's Yahoo mail. The message says that a person from North Korea has logged into the email of the victim. In addition, the IP address of the alleged intruder is attached to the message (the IP is indeed North Korean), and also a button which the victim is asked to push to secure their account.The first email impersonated ‘Yahoo Login Attempt’ email. Note that similar to the impersonation in the first vector, this email address has a profile picture with2 letters that represent the email sender (CS for Customer service)This victim has received another message earlier that day about a North Korean person which made changes to the victim's account password recovery settings, so they (the victim) have to approve those changes.


-----

##### Fourth Vector – Social Networks imperonation In our previous report about Charming Kitten, we have discovered that they are impersonating security teams of social networks in order to get authentication factors. Unlike the previous cases, this group has acted mostly against email boxes. In the group's activity since July-August, we have identified a shift towards social networks, such as Instagram.


-----

_Note that the domains that are presented in the directory are related to the impersonation subject_

_and not the malicious domain. As seen from the picture, the first uploaded files were Facebook and Twitter impersonations. Impersonations of Instagram, Google, and the National Iranian-American Council (and Iranian organization sitting in the US), were uploaded later. At every such site directory, there is a ZIP file with a ready infrastructure for a phishing site:_


-----

5 https://www.niacouncil.org/about-niac/staff-board/nooshin-sadegh-samimi/


-----

#### Digital Infrastructure Through a pivot we have conducted on the main domainthat we have identified in our researchwe have found more than eightnew and unknown domains, all of which bear the '.site' TLD. For instance:customers-recovery[.]sitecom-verifications[.]sitecom-session[.]siteEach of these domains resolves to a different IP, yet almost all of them point –through DNS research –at the same Nameserver-ns11025[.]ztomy[.]com:We have succeeded to identify the new domainsthrough this Nameserver. As we pointed out, we identifieda step upin therecentcampaign regardingthetargeting of Yahoo accounts.The group has acted in the past, in 2017, to acquire the usernames and passwords for those accounts, yet it seems that in the recent years it has moved its focus toGoogle accounts. In this research, we found that thethreat actor focuses again in Yahooaccounts and impersonation to Yahoo services. Below an example toanURL address of one of the group's phishing sites which depicts an impersonation to Yahoo services such as YMail.hxxps://mobiles.com-identifier[.]site/ymail/secureLogin/challenge/url?ucode=d105ad2b-2f7d-4193-a303-03eb32967133&service=mailservice&type=password In our previous report weuncovered a server-registered methodwhich in, the malicious server will redirect the clientfrom the phishing websiteto the original website (HTTP 302 in port 442 or 301 in port 80).Inthis time too it has set its server in a way that redirects to the original Yahoo site, if a not-dedicated (i.e. specifically authorized) entrance is attempted.


-----

6.On March 2019, Microsoft filed an official complaint against Phosphorus(known as Charming Kitten),whichincludes 99 websites targeting Microsoft users. Clearsky has been monitoringthis infrastructureand identified several changes,such as new suspiciousdomains and new IPs.

6 [https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-](https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/)
[hacking/](https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/)


6.On March 2019, Microsoft filed an official complaint against Phosphorus(known as Charming Kitten),whichincludes 99 websites targeting Microsoft users. Clearsky has been monitoringthis infrastructureand identified several changes,such as new suspiciousdomains and new IPs.


-----

7 [https://noticeofpleadings.com/strontium/files/prop_ord_dj_pi_appc.pdf](https://noticeofpleadings.com/strontium/files/prop_ord_dj_pi_appc.pdf)


-----

#### Indicators of Compromisebahaius[.]infobailment[.]orgcom-activities[.]sitecom-identifier[.]sitecom-session[.]sitecom-verifications[.]sitecustomers-activities[.]sitecustomers-recovery[.]sitecustomers-reminder[.]infodocumentsfilesharing[.]clouddocument-sharing[.]onlinegomyfiles[.]infoidentifier-activities[.]infoidentifier-activities[.]onlineidentity-verification-service[.]infoinbox-drive[.]infoinbox-sharif[.]infomagic-delivery[.]infomobilecontinue[.]networkmobile-messengerplus[.]networkmy[.]en-gb[.]home-access[.]onlinenotification-accountservice[.]comrecovery-services[.]inforecoverysuperuser[.]infosee-us[.]infosessions-identifier-memberemailid[.]networksystem-services[.]sitetelagram[.]netuploaddata[.]infoverification-services[.]info40[.]112[.]253[.]18591[.]109[.]22[.]53136[.]243[.]195[.]229178[.]32[.]58[.]182185[.]177[.]59[.]24046[.]166[.]151[.]20951[.]68[.]200[.]12651[.]89[.]229[.]21551[.]255[.]157[.]110181[.]177[.]59[.]240


-----

### ClearSky Cyber Intelligence Report


Photo by 42 North on Unsplash
https://unsplash.com/photos/OE7H8Zp1

mw8


2019 All rights reserved to ClearSky Security Ltd.
TLP: WHITE - The content of the document is solely for internal use. Distributing the report outside of recipient organization is

not permitted.


-----