Analysis Summary

Iran-based nation-state threat group called APT35 (aka TA453, COBALT ILLUSION, Charming Kitten, NewsBeef, Magic Hound, Mint Sandstorm, and Phosphorus) has been active since at least 2014. The threat group conducts cyberattacks against adversaries with Iran’s Islamic Revolutionary Guard Corps. The group uses novel techniques to evade detection using malicious PowerShell scripts. It operates as a remote access backdoor installed through these malicious scripts to further download malware payloads. With multistaged and modular toolkits, the Phosphorus toolkit becomes a stealthy threat against the enemies of Iran.

The threat group is infamous for carrying out social engineering campaigns on a large scale that target a wide range of sectors, mostly NGOs, think tanks, and journalists. The APT (advanced persistent threat) group usually utilizes uncommon tactics for their social engineering campaigns, like engaging in long email conversations to develop trust before tricking the unsuspecting user into clicking on malicious links.

Impact

• Exposure of Sensitive Data
• Remote Code Execution
• Unauthorized Access
• Cyber Espionage
• Data Theft

Indicators of Compromise

MD5

• bb4c8f42cc624c628e4b98bd43f29fa6
• f9914c7d6e09d227b2cecea50b87e58b

SHA-256

• bf308e5c91bcd04473126de716e3e668cac6cb1ac9c301132d61845a6d4cb362
• 918e70e3f5fdafad28effd512b2f2d21c86cb3d3f14ec14f7ff9e7f0760fd760

SHA1

• 3a0b3426f4a2f85e0c82b2804aab7f5d5bb63fb7
• 2a29ba7302024ec1255811abec2a532136d12fef

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Disseminate information regarding the tactics, techniques, and procedures (TTPs) used by the Charming Kitten APT group to target dissidents.
• Educate potential targets on the risks associated with engaging in online conversations with unknown individuals, especially on social media platforms.
• Encourage individuals to use secure communication tools and platforms that offer end-to-end encryption to protect sensitive information.
• Conduct phishing awareness training to help them recognize and avoid social engineering attacks, such as deceptive messages and links.
• Advise users to enable MFA on their accounts to add an extra layer of protection against unauthorized access.
• Ensure that all devices and software used are up to date with the latest security patches to mitigate vulnerabilities.
• Train individuals to be cautious when interacting with unknown individuals online and to be vigilant about unusual or suspicious requests.
• Implement network monitoring and intrusion detection systems to detect any unauthorized access attempts or unusual activities.
• Recommend the use of secure messaging and communication platforms that offer end-to-end encryption and protect conversations from interception.