Rewterz Threat Alert – Charming Kitten APT Utilizes BASICSTAR Backdoor to Target Middle Eastern Policy Experts – Active IOCs

Severity

High

Analysis Summary

Charming Kitten, a threat actor attributed to Iranian origins, has been discovered launching attacks on Middle Eastern policy experts using a novel backdoor dubbed “BASICSTAR” by making a fake webinar portal.

Also known as CharmingCypress, APT35, Mint Sandstorm, Yellow Garuda, and TA453, the threat group is infamous for carrying out social engineering campaigns on a large scale that target a wide range of sectors, mostly NGOs, think tanks, and journalists. The APT (advanced persistent threat) group usually utilizes uncommon tactics for their social engineering campaigns, like engaging in long email conversations to develop trust before tricking the unsuspecting user into clicking on malicious links.

Just last month, it came to light that the threat group targeted individuals linked to Middle Eastern affairs to propagate malware like MediaPI (aka EYEGLASS) and MischiefTut, both of which feature capabilities for stealing sensitive information from an infected machine. The group is also responsible for spreading various other backdoors like BellaCiao, POWERLESS, NokNok, and POWERSTAR (aka GorjolEcho) in the previous year, which shows the APT group’s determination to remain active on the cyber landscape by adapting its tactics and methods according to the trends.

Researchers observed the phishing attacks by Charming Kitten between September and October 2023 which involved the threat actors acting as individuals from the Rasanah International Institute for Iranian Studies to initiate conversations with the targeted users and build trust with them. The adversary uses compromised email accounts that belong to legitimate individuals as well as several attacker-controlled email accounts, the latter being called Multi-Persona Impersonation (MPI).

The attack chain of this campaign uses RAR archives that contain LNK files for initial access and to distribute malware, such as BASICSTAR and KORKULOADER (a PowerShell downloader script). There are message prompts that urge the victim to join a fake webinar on topics of interest. BASICSTAR is a Visual Basic Script (VBS) malware capable of harvesting basic system information, downloading and displaying decoy PDF files, and executing commands received from a remote C2 server. Most of these phishing attacks are made to distribute different backdoors to different users depending on their operating system. For example, victims using Windows are infected with POWERLESS, while Apple macOS victims are attacked with an infection chain that deploys NokNok through a functional VPN app laced with malware.

The analysis shows that the Charming Kitten threat group commits to carrying out cyber espionage on their targets to figure out the best ways to manipulate the unsuspecting victim to deploy malware. Only a few other threat actors have developed as consistent campaigns as Charming Kitten where they dedicate human operators to carry out the social engineering efforts.

Impact

• Cyber Espionage
• Sensitive Information Theft
• Identity Theft

Indicators of Compromise

Domain Name

• defaultbluemarker.info
• rasaanah-iiis.org
• rasaaneh-iiis.org
• beginningofgraylife.ddns.net
• yellowparallelworld.ddns.net

MD5

• 853687659483d215309941dae391a68f

SHA-256

• 07384ab4488ea795affc923851e00ebc2ead3f01b57be6bf8358d7659e9ee407

SHA-1

• 25005352eff725afc93214cac14f0aa8e58ca409

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Disseminate information regarding the tactics, techniques, and procedures (TTPs) used by the Charming Kitten APT group to target dissidents.
• Educate potential targets on the risks associated with engaging in online conversations with unknown individuals, especially on social media platforms.
• Encourage individuals to use secure communication tools and platforms that offer end-to-end encryption to protect sensitive information.
• Conduct phishing awareness training to help them recognize and avoid social engineering attacks, such as deceptive messages and links.
• Advise users to enable MFA on their accounts to add an extra layer of protection against unauthorized access.
• Ensure that all devices and software used are up to date with the latest security patches to mitigate vulnerabilities.
• Train individuals to be cautious when interacting with unknown individuals online and to be vigilant about unusual or suspicious requests.
• Implement network monitoring and intrusion detection systems to detect any unauthorized access attempts or unusual activities.
• Recommend the use of secure messaging and communication platforms that offer end-to-end encryption and protect conversations from interception.