Iran-linked APT 'Charming Kitten' adds new impersonation tactics to trick potential victims

The group, also known as APT35, is thought to have recently targeted the US presidential primary elections

An Iran-linked advanced persistent threat (APT) group dubbed Charming Kitten, which is alleged to have targeted a US primary presidential campaign in recent months, has added new impersonation vectors to its repertoire.

That's according to a report by security researchers at ClearSky, which claims that the group was recently observed intensifying its phishing attempts in an effort to steal sensitive information from potential victims.

This threat group is known by multiple names, including Charming Kitten, Phosphorus, APT35, NewsBeef, and Ajax Security Team.

Its activities were first observed in October 2018, when security specialists observed it attempting to compromise the email accounts of potential targets by circumventing two-factor authentication schemes. A successful attack enabled the hackers to monitor their victim's communications with other parties.

Earlier this month, Microsoft said that the Phosphorus group (aka Charming Kitten) attempted to compromise email accounts associated with US presidential campaign, current and former US government officials, journalists, and some Iranians living outside Iran.

ClearSky researchers say they recently observed a sharp increase in Charming Kitten attacks against researchers in the US, Middle East, and France, specifically focusing on Iranian academic researchers and Iranian dissidents in the US.

Charming Kitten has also added four new sophisticated impersonation tactics to its campaign in a bid to trick users into revealing their sensitive information to the attackers.

The first tactic involves sending an email to a potential victim, with a link to Google sites from a familiar person. The email lures the victim to download a malicious file, enabling the hackers to collect Google credentials of the victim.

The second tactic involves sending an SMS message using a Sender ID of "Live Recover", which alerts the victim to a supposed attempt to compromise their email account. The victim is asked to secure their account by following the accompanying malicious link.

The third tactic involves presenting "a sham show" about a North Korean hacker who tried to compromise the victim's Yahoo mail. The victim is then asked to tap a malicious button to verify and secure their account.

The fourth involves attackers presenting themselves as the security teams of popular social networks, such as Facebook, Twitter, and Instagram in a bid to try to get authentication information from their marks.

Last May, threat intelligence specialists warned that Iran had developed a sophisticated 'hierarchy of hackers' and was gearing up to launch a new wave of cyber attacks against Western government organisations and businesses.

In November 2018 Iran accused Israel, a close US ally, of launching a cyber attack targeting vital telecommunications infrastructure in the country.

In June, the US Cyber Command carried out a "secret" cyber attack against Iran in a bid to impair the country's ability to target oil tankers in the Persian Gulf.

The attack was carried out the same day that President Trump called off a retaliatory air strike planned after the shooting down of a US surveillance drone by Iranian forces.