Thursday, April 18, 2024

Charming Kitten APT Group Uses Innovative Spear-phishing Methods

Charming Kitten APT Group Uses Innovative Spear-phishing Methods. Volexity researchers recently noticed that threat actors are actively intensifying their efforts to compromise the credentials or systems of their targets by employing Spear-phishing Methods. 

While spear-phishing techniques involve sending personalized messages and engaging in dialogue for days before delivering malicious links or attachments.

Volexity often observes Charming Kitten, an Iranian-based threat actor, using these techniques, and their main focus is gathering intelligence through compromised credentials and spear-phishing emails

The Charming Kitten APT group extracts additional access and attempts to shift to corporate VPNs or remote access services.

In this spear-phishing campaign, Charming Kitten was found to be distributing an updated version of the backdoor, dubbed POWERSTAR (aka CharmPower), by the security analysts at Volexity.

POWERSTAR Backdoor

Volexity analyzed the latest version of the POWERSTAR backdoor, unveiling Charming Kitten APT Group’s enhanced spear-phishing techniques and malware evolution.

However, despite all the challenges, Volexity successfully analyzed the new variant with all essential components.

Security researchers discovered a complex POWERSTAR variant, possibly aided by a custom server-side component for automated actions.

Notably, this version employs interesting features like IPFS and publicly accessible cloud hosting for decryption and configuration details.

Here below is the POWERSTAR timeline:-

POWERSTAR timeline
POWERSTAR timeline (Source – Volexity)

Charming Kitten focused on a recent attack target, using an email address mimicking an Israeli media reporter to send a message.

However, before deploying malware, the attacker casually inquired if the target would review a document on US foreign policy, a common request resembling those from journalists seeking opinions on relevant topics.

Charming Kitten sustained interaction through a harmless email exchange with a question list, followed by the target’s answers to deepen the target’s trust. 

After several days of legitimate communication, they sent a malicious LNK file embedded into a password-protected RAR file that is disguised as a “draft report” along with the password.

Phishing Operations

Here below, we have mentioned all the phishing operations that the phishing operator follows:-

  • Posing as a genuine person with a verifiable public profile, initiate contact and establish a basic rapport with the target.
  • The sender’s email imitates the impersonated person’s personal account, utilizing a reputable webmail service. The initial email contains no malicious content, avoiding security software detection and raising no recipient concerns.
  • Upon receiving the target’s response, send a follow-up email with a series of questions, strengthening the attacker-victim rapport and trust.
  • A malicious password-protected attachment is sent via a follow-up email if the target responds or remains unresponsive for some time, separating the password to restrict automated scanning and extraction.

POWERSTAR Backdoor Features

Here below, we have mentioned all the features of POWERSTAR:-

  • Remote execution of PowerShell and CSharp commands and code blocks
  • Persistence via Startup tasks, Registry Run keys, and Batch/PowerShell scripts
  • Dynamically updating configuration settings, including AES key and C2
  • Multiple C2 channels, including cloud file hosts, attacker-controlled servers, and IPFS-hosted files
  • Collection of system reconnaissance information, including antivirus software and user files
  • Monitoring of previously established persistence mechanisms

The POWERSTAR backdoor payload collects system info and sends it to the compromised system’s C2 address via a POST request.

In the analyzed sample, the C2 address was a subdomain on Clever Cloud, fuschia-rhinestone.cleverapps[.]io. It includes a victim identifier token for Charming Kitten’s tracking.

System Information
System information and victim identifier (Source – Volexity)

Volexity noticed the C2 updating the AES key dynamically, and POWERSTAR sets a random IV and sends it to C2 via the “Content-DPR” header. 

While the earlier versions used a custom cipher instead of AES, which improves the operations of the malware. POWERSTAR has the capability to carry out commands using two programming languages, and here below we have mentioned them:- 

  • PowerShell
  • CSharp

Modules with POWERSTAR Backdoor

Volexity successfully obtained access to nine modules of POWERSTAR, which are listed below:-

  • Screenshot: Takes a screenshot and uploads to C2
  • Processes: Enumerates running processes via “tasklist”, saves to %appdata%\Microsoft\Notepad\Processes.txt, and uploads to C2.
  • Shell: Not used in any observed sample; identifies running antivirus software, writes to Shell.txt.
  • Applications: Unchanged from Check Point report; retrieves installed programs by traversing registry key paths.
  • Persistence: Establishes persistence for the IPFS variant of POWERSTAR via a Registry Run key
  • Persistence Monitor: Checks whether various Registry keys and files dropped by POWERSTAR components are still intact; relays this information to the C2.
  • System Information: Unchanged from Check Point report; executes the system info command and relays information to C2
  • File Crawler: Retrieves drives via Get-PSDrive PowerShell cmdlet, and proceeds to recursively traverse all directories to search for files matching specific extensions while ignoring certain directories; metadata on identified files is relayed to the C2
  • Cleanup: This module now contains seven hardcoded methods.

Since 2021, when Volexity initially detected POWERSTAR, Charming Kitten enhanced the malware to increase detection complexity.

The considerable alteration involves downloading the decryption function from remote files, making it harder to detect the malware except in memory. 

Moreover, this technique gives the attacker a kill switch, which allows them to prevent further analysis of the crucial functionalities of the malware and its operations.

Document
FREE Demo

AI-Powered Email security

Implementing AI-Powered Email security solutions can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Website

Latest articles

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)

In the wake of the recent disclosure of a critical vulnerability (CVE-2024-3400) affecting a...

Cerber Linux Ransomware Exploits Atlassian Servers to Take Full Control

Security researchers at Cado Security Labs have uncovered a new variant of the Cerber...

FGVulDet – New Vulnerability Detector to Analyze Source Code

Detecting source code vulnerabilities aims to protect software systems from attacks by identifying inherent...

North Korean Hackers Abuse DMARC To Legitimize Their Emails

DMARC is targeted by hackers as this serves to act as a preventative measure...

L00KUPRU Ransomware Attackers discovered in the wild

A new variant of the Xorist ransomware, dubbed L00KUPRU, has been discovered in the...

Oracle Releases Biggest Security Update in 2024 – 372 Vulnerabilities Are Fixed – Update Now!

Oracle has released its April 2024 Critical Patch Update (CPU), addressing 372 security vulnerabilities...

Outlook Login Panel Themed Phishing Attack Evaded All Antivirus Detections

Cybersecurity researchers have uncovered a new phishing attack that has bypassed all antivirus detections.The...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

WAAP/WAF ROI Analysis

Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles