top of page

Cyber Attacks Targeting Iranian Persons & Organizations in Germany: Charming Kitten & Mobile Malware

Germany's Federal Office for the Protection of the Constitution (BfV) has recently issued a warning related to the consistent cyber threats that have been persistently afflicting Iranian individuals and organizations since late 2022. These cyber attacks have reportedly targeted a variety of individuals and entities, most notably those advocating for legal, journalistic, and human rights initiatives. Interestingly, the BfV analysis points to the reality that both events within Iran's borders and those ventures externally associated with the country have been targeted.

The attacks have been alleged to the workings of a notoriously active cyber criminal group, known by a myriad of aliases but commonly referred to as Charming Kitten. Whilst falling behind their Chinese and Russian counterparts in terms of sophistication, the Iranian cyber threat landscape has progressively shown its potential by deploying a broad inventory of tailored malware and meticulously exploiting fresh security vulnerabilities in order to gain primary control.

Charming Kitten, in particular, is extensively known for its utilization of intricate social engineering tactics and carefully crafted false online personas. These are designed particularly for the purpose of deceiving and capturing the unsuspecting victim, thereby facilitating unauthorized entry into systems. Establishing apparently authentic rapport by pretending to be real journalists or Non-Governmental Organization (NGO) staff members is just one of their many tried-and-tested strategies.

The victim is then lured into engaging in an online video chat, enticed by a hyperlink. Unbeknownst to the victim, they are then coaxed into inputting their login credentials onto a fake webpage, a technique used to facilitate the stealing of user credentials. Such phishing websites often imitate legitimate service providers like Google or Microsoft to further the illusion of trustworthiness.

As the BfV noted, a seemingly innocent online video chat can end up masking a full-blown cyber assault. This attack allows the perpetrator to download the victim's whole user data, either directly or through mechanisms such as Google Takeout, upon the victim's login through the false page.

Google's Threat Analysis Group (TAG) categorically outlined the application of a malware named HYPERSCRAPE by Charming Kitten in August 2022, stating that it can conveniently extract data from Gmail, Yahoo!, and Microsoft Outlook accounts.

It's important to understand that this attack pattern is not unique to the Charming Kitten scenario. Other credible sources such as Certfa Lab and Human Rights Watch (HRW) have previously reported similar phishing campaigns targeted at varying professionals from the Middle East.

Additionally, Sophos recently discovered a mobile malware operation aimed at customers of four Iranian banks, namely Bank Mellat, Bank Saderat, Resalat Bank, and the Central Bank of Iran. This scheme involved the creation of approximately 40 fraudulent Android applications, which serve to extract classified information.

As summarized by Pankaj Kohli, a security researcher, these malicious applications utilized numerous interconnected tactics, including the interception of SMS messages used in multi-factor authentication, and even a feature to detect other banking, payment, and cryptocurrency-related applications on the infected device.

In this digitized era, it's of paramount importance to consistently stay abreast of related cybersecurity news, insights, and precautions in order to maintain robust digital defenses. At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.


Commenting has been turned off.
bottom of page