Charming Kitten APT Group Uses Innovative Spear-phishing Methods – GBHackers

Charming Kitten APT Group Uses Innovative Spear-phishing Methods. Volexity researchers recently noticed that threat actors are actively intensifying their efforts to compromise the credentials or systems of their targets by employing Spear-phishing Methods.

While spear-phishing techniques involve sending personalized messages and engaging in dialogue for days before delivering malicious links or attachments.

Volexity often observes Charming Kitten, an Iranian-based threat actor, using these techniques, and their main focus is gathering intelligence through compromised credentials and spear-phishing emails.

The Charming Kitten APT group extracts additional access and attempts to shift to corporate VPNs or remote access services.

In this spear-phishing campaign, Charming Kitten was found to be distributing an updated version of the backdoor, dubbed POWERSTAR (aka CharmPower), by the security analysts at Volexity.

Volexity analyzed the latest version of the POWERSTAR backdoor, unveiling Charming Kitten APT Groups enhanced spear-phishing techniques and malware evolution.

However, despite all the challenges, Volexity successfully analyzed the new variant with all essential components.

Security researchers discovered a complex POWERSTAR variant, possibly aided by a custom server-side component for automated actions.

Notably, this version employs interesting features like IPFS and publicly accessible cloud hosting for decryption and configuration details.

Here below is the POWERSTAR timeline:-

Charming Kitten focused on a recent attack target, using an email address mimicking an Israeli media reporter to send a message.

However, before deploying malware, the attacker casually inquired if the target would review a document on US foreign policy, a common request resembling those from journalists seeking opinions on relevant topics.

Charming Kitten sustained interaction through a harmless email exchange with a question list, followed by the targets answers to deepen the targets trust.

After several days of legitimate communication, they sent a malicious LNK file embedded into a password-protected RAR file that is disguised as a draft report along with the password.

Here below, we have mentioned all the phishing operations that the phishing operator follows:-

Here below, we have mentioned all the features of POWERSTAR:-

The POWERSTAR backdoor payload collects system info and sends it to the compromised systems C2 address via a POST request.

In the analyzed sample, the C2 address was a subdomain on Clever Cloud, fuschia-rhinestone.cleverapps[.]io. It includes a victim identifier token for Charming Kittens tracking.

Volexity noticed the C2 updating the AES key dynamically, and POWERSTAR sets a random IV and sends it to C2 via the Content-DPR header.

While the earlier versions used a custom cipher instead of AES, which improves the operations of the malware. POWERSTAR has the capability to carry out commands using two programming languages, and here below we have mentioned them:-

Volexity successfully obtained access to nine modules of POWERSTAR, which are listed below:-

Since 2021, when Volexity initially detected POWERSTAR, Charming Kitten enhanced the malware to increase detection complexity.

The considerable alteration involves downloading the decryption function from remote files, making it harder to detect the malware except in memory.

Moreover, this technique gives the attacker a kill switch, which allows them to prevent further analysis of the crucial functionalities of the malware and its operations.

Implementing AI-Powered Email security solutions can secure your business from todays most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Read the original here:
Charming Kitten APT Group Uses Innovative Spear-phishing Methods - GBHackers

Related Posts

Comments are closed.