Following Holiday Season APT Charming Kitten Ramps Up Activity
During the last days of the 2020 holiday season and into early January 2021, Iranian state-backed hacker APT, Charming Kitten, has begun a new targeted phishing campaign. Charming Kitten, also known as APT35 and Phosphorus, is one of many hacker groups backed by the Islamic Republic of Iran. The group started the new campaign during the time that most companies, offices, organizations, etc. we either closed or half-closed during the Christmas holiday.
As a result, the affected companies’ technical support and IT departments were not able to immediately respond to these new cyber-attacks. Samples of this phishing campaign show that the threat actors concentrated their attacks on individuals’ online accounts, especially personal emails, such as Gmail, Yahoo!, and Outlook, and business emails. After gaining access to the credentials of the account, the actors then steal sensitive data from their targets.
Based on further analysis of collected evidence, a clear trend has emerged showing that Charming Kitten had specifically chosen their targets from members of think tanks, political research centers, university professors, journalists, and environmental activists, in countries around the Persian Gulf, Europe, and the US. Further evidence supports the theory that this new phishing campaign is part of a much wider campaign that Charming Kitten started during the third and fourth quarters of 2020.
Evidence shows that Charming Kitten utilized SMS and email phishing techniques to compromise their targets. Interestingly, while the attackers strive to leave no evidence of their unauthorized access, they do not block the victims’ access to their own accounts, even after it has been compromised.
IOCs
- 54.37.164[.]254
- 109.202.99[.]98
- 134.19.188[.]242
- 134.19.188[.]243
- 134.19.188[.]244
- 134.19.188[.]246
- 185.23.214[.]188
- 213.152.176[.]205
- 213.152.176[.]206
- 146.59.185[.]15
- 146.59.185[.]19
- 185.23.214[.]187
- com-254514785965[.]site
- mobile[.]verification[.]session[.]com-254514785965[.]site
- session[.]com-254514785965[.]site
- verification[.]session[.]com-254514785965[.]site
- www[.]com-254514785965[.]site
- com-5464825879854[.]site
- mobile[.]verify[.]service[.]com-5464825879854[.]site
- service[.]com-5464825879854[.]site
- verify[.]service[.]com-5464825879854[.]site
- www[.]com-5464825879854[.]site
- benefitsredington[.]ddns[.]net
- lonelymanshadow[.]ddns[.]net
- mobile-activity-session[.]site
- verify[.]mobile-activity-session[.]site
- www[.]mobile-activity-session[.]site
- mobile-check-activity[.]site
- www[.]mobile-check-activity[.]site
- com[.]recover-session-service[.]site
- mobile[.]recover-session-service[.]site
- news12[.]com[.]recover-session-service[.]site
- recover-session-service[.]site
- www[.]recover-session-service[.]site
- hello-planet[.]com
- mail-newyorker[.]com
- profilechangeruser[.]ddns[.]net
- www[.]service-verification[.]site
- www[.]mobile[.]service-verification[.]site
- service-verification[.]site
- mobile[.]service-verification[.]site
- mail[.]service-verification[.]site
- com[.]service-verification[.]site
- app-e[.]request[.]unlock-service[.]accounts[.]service-verification[.]site
- instagram[.]com[.]service-verification[.]site
- unlock-service[.]accounts[.]service-verification[.]site
- request[.]unlock-service[.]accounts[.]service-verification[.]site
- accounts[.]service-verification[.]site
- identifier[.]recovery-session[.]site
- recovery-session[.]site
- www[.]recovery-session[.]site
- www[.]identifier[.]recovery-session[.]site
- identifier[.]session-confirmation[.]site
- session-confirmation[.]site
- www[.]session-confirmation[.]site
- identity-session-recovery[.]site
- uniquethinksession[.]ddns[.]net
- recover-identity[.]site
- session[.]recover-identity[.]site
- www[.]recover-identity[.]site
- securelogicalrepository[.]com
- service-support[.]site
- customer-session[.]site
- planet[.]customer-session[.]site
- accounts[.]customer-session[.]site
- www[.]customer-session[.]site
- www[.]service-support[.]site
- identifier[.]service-support[.]site
- planet[.]service-support[.]site
- reset-account[.]com
- google[.]reset-account[.]com
- www[.]reset-account[.]com
- session-customer-activity[.]site
- verify[.]session-customer-activity[.]site
- www[.]session-customer-activity[.]site
- www[.]identifier-service-verify[.]site
- identifier-service-verify[.]site
- mobile[.]identifier-service-verify[.]site
- challengechampions[.]ddns[.]net
- service-verification-session[.]site
- mobile[.]service-verification-session[.]site
- www[.]service-verification-session[.]site
- chn[.]archiverepositories[.]xyz
- www[.]archiverepositories[.]xyz
- archiverepositories[.]xyz
- a[.]archiverepositories[.]xyz
- wearefirefighters[.]ddns[.]net
- basementofdarkness[.]ddns[.]net
- heisonhisway[.]ddns[.]net
- recover-session[.]site
- www[.]recover-session[.]site
- myaccount[.]recover-session[.]site
- schoolofculture[.]ddns[.]net
- customer[.]verification[.]com-3654623478192[.]site
- com-3654623478192[.]site
- customer[.]com-3654623478192[.]site
- www[.]com-3654623478192[.]site
- verification[.]com-3654623478192[.]site
- enhanceservicchecke[.]hopto[.]org
- minimumservicechek[.]ddns[.]net
- playstore[.]com-apk-6712qw123asd8awf7[.]site
- www[.]com-apk-6712qw123asd8awf7[.]site
- www[.]identifier-session-recovery[.]site
- google[.]com-apk-6712qw123asd8awf7[.]site
- play[.]google[.]com-apk-6712qw123asd8awf7[.]site
- identifier-session-recovery[.]site
- com-apk-6712qw123asd8awf7[.]site
- agentappservice[.]ddns[.]net
- www[.]com-archive[.]site
- com-archive[.]site
- patchtheschool[.]ddns[.]net
- www[.]recovery-session-service[.]site
- mobile[.]recovery-session-service[.]site
- homeinspections[.]ddns[.]net
- recovery-session-service[.]site
- deepthinkingroom[.]ddns[.]net
- randomworldcity[.]ddns[.]net
- bulk-approach[.]site
- www[.]bulk-approach[.]site
- confirm-identity[.]site
- www[.]confirm-identity[.]site
- dynamiceventmanager[.]ddns[.]net
- service-recovery[.]site
- differentintegrated[.]ddns[.]net
- verify-session-service[.]site
- yahoo[.]verify-session-service[.]site
- mail[.]yahoo[.]verify-session-service[.]site
- www[.]verify-session-service[.]site
- mobile[.]verify-session-service[.]site
- session[.]recovery-customer-service[.]site
- recovery-customer-service[.]site
- www[.]recovery-customer-service[.]site
- homedirections[.]ddns[.]net
- recovery-session-verify[.]site
- www[.]recovery-session-verify[.]site
- identifier[.]recovery-session-verify[.]site
- service-session-recovery[.]site
- mobile[.]service-session-recovery[.]site
- www[.]service-session-recovery[.]site
- planet-labs[.]site
- mail[.]com-posts6712qw12387[.]site
- video[.]instagram[.]service-recovery[.]site
- insgram[.]service-recovery[.]site
- identifier[.]service-recovery[.]site
- instagram[.]service-recovery[.]site
- www[.]planet-labs[.]site
- com-posts6712qw12387[.]site
- www[.]com-posts6712qw12387[.]site
- www[.]service-recovery[.]site
- planet-map[.]gigfa[.]com