This is the first time the “Charming Kitten” group forces a watering hole attack which also included making phone calls to victims.
Security researchers from Clearsky spotted that Iran-linked “Charming Kitten” APT group is using WhatsApp and LinkedIn to conduct spear-phishing attacks, in which the threat actors imitate journalists from `Deutsche Welle’ and the `Jewish journal.’
This is the first time the “Charming Kitten” group forces a watering hole attack which also included making phone calls to victims.
The attackers used emails alongside WhatsApp messages as their leading platform to approach the target and convince them to open the malicious link.
“This development is the first time the threat actor is said to have carried out a watering hole attack through WhatsApp and LinkedIn, which also includes making phone calls to victims, ” noted Clearsky.
The company aroused Deutsche Welle about the impersonation and the watering hole in their website.
“The reporter which Charming Kitten impersonated did not send any emails to the victim nor any other academic researcher in Israel in the past few weeks, ” confirmed the German broadcaster.
The watering hole - here, the victims were contacted through tried-and-tested social engineering methods and later delivered a malicious link embedded in the compromised Deutsche Welle domain via WhatsApp, intending to speak at an online webinar.
The attackers delivered an email to the target, where they showed a willingness to initiate a conversation. Further, they request the exchange to move on to WhatsApp, if not over the phone using a legitimate German number. The attacker will also send a message through a fake Linkedin profile.
If attackers pass the phone call obstacle, they can quickly gain more trust from the victim and walk the person through the steps of connecting to the webinar using the malicious link shared earlier during the chat.
Charming Kitten
Iranian linked Charming Kitten group was first discovered in 2014. Charming Kitten is also known as aliases APT35, NewsBeef and Newscaster. Even though APT35 opted for a new method, this is not the first time the Iranian hackers used social media channels to spy.
In 2014, the threat actor created false Facebook accounts and fraud news websites to spy on political and military leaders in Israel, U.S and other countries.
"In this campaign, we observed a willingness of the attackers to speak on the phone directly with the victim, using WhatsApp calls, and a legitimate German phone number. This TTP is uncommon and jeopardizes the fake identity of the attackers," Clearsky researchers said.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?