Analysis Summary

Iranian threat actors are linked to the cyber-espionage group GreenCharlie, which overlaps with other known groups such as APT42, Charming Kitten, and TA453. This infrastructure, meticulously crafted using dynamic DNS (DDNS) providers like Dynu, DNSEXIT, and Vitalwerks is primarily employed for phishing attacks targeting U.S. political campaigns.

The domains registered by GreenCharlie utilize deceptive themes, often relating to cloud services, file sharing, and document visualization to trick targets into revealing sensitive information or downloading malicious files. Recent cybersecurity investigations have identified that GreenCharlie has demonstrated a preference for using the .info top-level domain (TLD) in their recent operations, marking a shift from their previous use of TLDs such as .xyz, .icu, .network, .online, and .site.

Their phishing attacks are characterized by extensive social engineering techniques that exploit current events and political tensions to deliver malware like POWERSTAR (also known as CharmPower and GorjolEcho) and GORBLE, both of which are variants of a continually evolving series of PowerShell implants. These implants have been used in multi-stage infection processes, beginning with phishing to gain initial access, followed by establishing communication with command-and-control (C2) servers, and eventually exfiltrating data or deploying additional payloads.

The investigation also uncovered that GreenCharlie has registered numerous DDNS domains since May 2024, demonstrating a high degree of operational agility. Communications between Iran-based IP addresses and GreenCharlie’s infrastructure were observed between July and August 2024, with Proton VPN or Proton Mail being used to obscure these activities. This level of infrastructure and operational sophistication is consistent with GreenCharlie’s targeted approach and their ability to rapidly adjust their strategies to avoid detection and sustain their campaigns.

These developments are part of a broader increase in Iranian cyber activity against U.S. and other foreign targets. Beyond GreenCharlie, other Iranian threat actors like Peach Sandstorm and Pioneer Kitten have been implicated in various malicious activities, including targeting sectors such as education, finance, healthcare, defense, and government in the U.S. Notably, Pioneer Kitten has acted as an initial access broker for ransomware operations, collaborating with groups like NoEscape, RansomHouse, and BlackCat, underscoring the expanding scope and sophistication of Iranian state-sponsored cyber operations.

Impact

• Sensitive Data Theft
• Unauthorized Access
• Cyber Espionage

Indicators of Compromise

SHA1

• 5a892c6cf26f90220d279d878206bf73f933f4dc
• 7e564f5f6bb98f629789565a737738ea66330f74
• ca06b5b530c5c9fc09b12b1c8c48f8aeca4c3452

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• It is also recommended that individuals and organizations use secure and encrypted communication channels, such as VPNs and encrypted email when transmitting sensitive information.
• Additionally, the use of multi-factor authentication can help reduce the risk of sensitive information being stolen by attackers.