Charming Kitten APT are behind the credential-stealing campaign
A new credential-theft operation against senior officials in medical establishments and academic laboratories in the U.S. and Israel has been initiated by a cybercriminal gang named Charming Kitten (or Phosphorus).
The group is believed to be affiliated with the Iranian Government and has engaged in a highly targeted attack using malicious PDFs as bait.
Security researchers who are keeping an eye on Charming Kitten are sharing a concern that this attack could be a warning sign for a potential shift in the hacking group’s targets.
Researchers noticed that the malicious campaign that the Phosphorus gang launched in December 2020 targeted a very specific list of professionals in the area of medical science.
The attackers used the familiar tactic of spear phishing, but the lure itself was a little unusual since all the targets are medical staff. The victims were sent emails with a “Nuclear Arms at a glance – Israel” as a subject. The email included some details on the nuclear capability of Israel as well as a link to an attacker-controlled website.
When the victim clicks on the provided link, a phishing page pops-up asking the victim to enter Microsoft OneDrive credentials.
Codenamed BadBlood, this credential-stealing campaign shares a lot of similarities with other attacks that the Phosphorous gang has carried out in the past, according to analysts.
With the COVID-19 pandemic extending, medical researchers and professionals have become the prime target of this type of highly selective attacks.
A number of APT groups such as Charming Kitten have launched data-theft campaigns in recent months, most of which aimed at COVID-19 vaccine testing and production centers.
The latest Phosphorus initiative, however, addressed health practitioners in oncology, genetics, and neurology, not epidemiology or research into infectious disease.
While the BadBlood campaign may indicate a major change in the targets of the hacking group, it may also be a result of a short-term demand for intelligence gathering, security researchers are commenting.
Charming Kitten APT is operating since 2014 and has developed a vast espionage network that includes 85 IP addresses, 240 malicious domains, hundreds of hosts, and fake entities. Customized malware and Spearphishing are just some of the tools in the arsenal of strategies Phosphorous typically employs against its victims.