An Iranian cyberespionage group posed themselves as journalists to trick the victims via LinkedIn and WhatsApp and infect their devices with malware.
The CharmingKitten APT group is famous for targeting government, defense technology, military, and diplomacy sectors whose new tactics were identified by the Israeli firm Clearsky.
The firm stated that the group were impersonating ‘Deutsche Welle’ and the ‘Jewish Journal’ using emails along with WhatsApp messages as their main platform to approach the target and convince them to open a malicious link.
It is the first time that the threat actor is said to have performed a watering hole attack through WhatsApp and LinkedIn, that also includes making phone calls to victims.
When the German broadcaster, Deutsche Welle was informed about the impersonation and the watering hole in their website, they confirmed that the reporter which Charming Kitten impersonated did not send any emails to the victim nor any other academic researcher in Israel in the past few weeks.
CharmingKitten (also known as APT35, Parastoo, NewsBeef, and Newscaster) was earlier linked to a series of covert campaigns with an aim to steal sensitive information from human rights activists, academic researchers, and media outlets.
The watering hole here is a malicious link embedded in the compromised Deutsche Welle domain that delivered the info-stealer malware via WhatsApp. Before doing so, the victims were first approached via social engineering methods with an intention to lure the academics to speak at an online webinar.
According to the ClearSky researcher, the hackers contacted victims first via LinkedIn messages, where they posed as Persian-speaking journalists working for Deutsche Welle and Israeli magazine Jewish Journal.
After making contact, the attackers would try to set up a WhatsApp call with the target and discuss Iranian affairs to get the trust of the target.
After the initial call, victims would receive a link to a compromised Deutsche Welle domain that either hosted a phishing page or a ZIP file containing malware capable of dumping and stealing their credentials.
In previous attacks, CharmingKitten only used emails and SMS to contact the victims, but never called them. However, if the attackers have successfully made the phone call, they can get more trust from the victim, compared to an email message.
The tactics CharmingKitten used were not new as the North Korean hackers were using this particular tactic for years.
Image Credits : Dark Web Links