Laying Bare Charming Kitten's Massive Campaign

Diving into details

• Proofpoint tracked six subgroups of APT42 differentiated mainly by infrastructure, victimology, and techniques. The researchers observed at least 60 campaigns this year, which relied on benign conversations to initiate contact with targets.
• While some of the subgroups wait for weeks before sending the malicious links, some deliver the links immediately. 

A look into the techniques 

• A Charming Kitten subgroup leveraged compromised credentials to target people instead of using actor-controlled accounts. 
• However, the group operated actor-controlled URL shorteners, which redirected to the usual APT42 credential harvesting pages. 
• Throughout the fall of 2021, the threat actors delivered the PowerShell backdoor GhostEcho to a multitude of diplomatic missions across Tehran.
• Also known as CharmPower, the malware is the first-stage loader for further cyberespionage activities.
• In the confrontational social engineering lures category, Charming Kitten has been using the persona 'Samantha Wolf' to get the target to respond by playing on their sense of uncertainty and fear. 

Latest TA453 campaigns

• Just a few days back, Human Rights Watch and Amnesty International’s Security Lab published a report stating that Charming Kitten has been targeting Middle East-based politicians, journalists, researchers, academics, diplomats, and human rights activists. The threat actor delivered the phishing link via WhatsApp, which led to fake login pages mimicking Yahoo, Facebook, and Google login pages. 
• In another September campaign, APT42 came up with a new phishing tactic dubbed Multi-Persona Impersonation (MPI). The technique used the ‘psychological principle of social proof’ to add a layer of authenticity to lure targets easier.

The bottom line