Source: Bleeping Computer
Summary
Researchers have identified a new Charming Kitten campaign in which the Iran-linked group has relied heavily on a social engineering technique known as multi-persona impersonation (MPI). MPI involves attackers sending emails to targets while CCing other email addresses under their control and then responding to that email. This fake conversation adds legitimacy to the email chain.
For this campaign, Charming Kitten created several personas, or “sock puppets,” pretending to be in the nuclear energy industry. These sock puppets emailed back and forth with each other and the victim in a series of emails ultimately designed to trick the victim into downloading the GorjolEcho backdoor. Once downloaded and installed, GorjolEcho opens a benign PDF document relevant to the subject of the email between the attackers and victim.
For macOS users, which the hackers typically identify after failing to infect them with the Windows variant, they send a new link to a ZIP file containing NokNok malware masquerading as a RUSI (Royal United Services Institute) VPN app.
Analysis
The development and use of a network of personas to support a phishing campaign requires considerable effort and resources and is thus indicative that a highly motivated state-sponsored actor was behind this threat activity.
Furthermore, any information related to the nuclear energy industry would align with Iranian intelligence requirements, so it’s expected Iran-linked cyber actors would target individuals in this industry.
The addition of a macOS malware variant was likely due to intended victims complaining of error messages when attempting to download the file to macOS systems. Charming Kitten likely quickly created a workaround for Mac users to increase their chances of exploiting more victims.
Mitigation
Covalence users can submit suspicious emails to Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they are benign. Field Effect encourages users to scrutinize all unsolicited messages from untrusted sources via email, text, or social media, especially when those messages contain a link or attachment.
References
