Charming Kitten (APT35)

• November 16, 2022

Charming Kitten (APT35) The APT group, known as APT, is thought to be linked to the Iranian state. against human rights activities, academic researchers, and media organizations against the Iranian state Cyber Intelligence It is considered that the United States and Central Eastern countries are among the countries it provides and targets.

Charming Kitten tries to access systems where it can collect the most information from targets; Email addresses used by institutions or personal Facebook accounts are some of these.

The Most Notable Cyber Attacks:

HBO

In 2017, following a cyberattack on HBO, a large-scale joint investigation was launched on the grounds that confidential information had been leaked. According to the statement made by a hacker whose nickname is Skote Vahshat, if the ransom is not paid; It was claimed that the scripts of television episodes, including Game of Thrones episodes, would be leaked. It resulted in the leak of 1.5 terabytes of data, some of which were shows and episodes that were not aired at the time.

Interference in American Elections

According to Microsoft, over a 30-day period between August and September 2019, Charming Kitten made 2,700 attempts to obtain information on targeted email accounts. This resulted in 241 attacks and 4 hacked accounts. Although the attempt was thought to target the United States presidential campaign, none of the compromised accounts were election-related.

Microsoft did not say who specifically was targeted, but a later report by Reuters claimed it was Donald Trump's re-election campaign.

While Iranian Foreign Minister Mohammad Javad Zarif said, "We have no preference in your (United States) election to interfere in this election" and "We do not interfere in domestic elections," Iran has denied any involvement in interfering with the election. Similar victim profiles are very striking; They were people of interest to Iran in the fields of academia, journalism, human rights activism and political opposition.

Malware and Tools Used by APT-35

DownPaper:

The main goal of the malware used as Backdoor Trojan is to download and run a second malware into the target system.

MITER ATT&CK Techniques

Application Layer Protocol: Web Protocols (T1071):

A C2 over HTTP protocol is used to receive a connection from within the target device.

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547):

It enters data into the Registry with PowerShell, ensures persistence in the system with the AutoStart feature, and the malware automatically starts itself every time you log in.

Command and Scripting Interpreter: PowerShell (T1059):

The DownPaper malware uses PowerShell to run within the system.

Query Registry (T1012):

Since security vulnerabilities on old Windows systems can be exploited, DownPaper reads Windows Update information through the Registry to identify old systems when it runs in the target system.

System Owner/User Discovery (T1033):

It collects information about the username logged in on the target system and uploads this information to the C2 server used by the attackers.

mimikatz

It is a tool used by attackers to access Windows user information from within the target system. Lsass dumps the data dumped from the memory and turns it into understandable data with Mimikatz.

(User's NTLM hash data)

PsExec

PsExec is a free Microsoft tool that can be used to run software on another computer within the same network. Used by IT administrators and attackers.

Puppy RAT

Open source remote command and control software, APT-35 It is used as a Post Exploitation tool by. Since the source code is written in Python, malware can be easily produced as Cross Platform. (Such as Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky.)

MITER ATT&CK Techniques

Abuse Elevation Control Mechanism: Bypass User Account Control (T1548):

User Account Control (UAC), short name, is a security feature in Windows systems. Its main purpose is to restrict the access of software into the operating system or prevent it from running. Pupy malware can bypass UAC in older version Windows Operating systems.

Application Layer Protocol: Web Protocols (T1071):

When the malware runs within the target system, it constantly communicates via HTTP with a command and control server belonging to the APT-35 group.

Audio Capture (T1123):

Pupy can record sound through the microphone inside the device.

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547):

Pupy malware installs itself in “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” in the Registry and thus provides persistence within the infected system.

Credentials from Password Stores (T1555):

It can retrieve the passwords stored in Web Browser and Windows Credentials in text format and uses an open source tool called Lazagne for this process.

Exfiltration Over C2 Channel (T1041):

It performs File Exfiltration from the target device and uploads this data to the server belonging to the APT-35 group.

Input Capture: Keylogging (T1056):

It uses the Keylogger feature to steal user information.

Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557):

It aims to steal user passwords or browser data via MITM attack from within the network.

OS Credential Dumping: LSASS Memory (T1003):

It performs LSASS dump operation on the target system and steals the password from the memory with the Mimikatz tool.

PupyRAT Pest Propagation Technique

The Macro feature that comes with Windows Office is used by many malicious software. With Macro, malicious software in Word, Excel or PowerPoint format is usually used in Phishing techniques and runs malicious software in the system.

(MD5:1b5e33e5a244d2d67d7a09c4ccf16e56)

IOC Information associated with APT35