BASICSTAR Backdoor
The threat actor Charming Kitten, originating from Iran and also known as APT35, CharmingCypress, Mint Sandstorm, TA453, and Yellow Garuda, has recently been linked to a series of fresh attacks targeting Middle East policy experts. These attacks involve the use of a new backdoor named BASICSTAR, which is deployed through the creation of a fraudulent webinar portal.
Charming Kitten has a track record of conducting diverse social engineering campaigns, employing tactics that extensively target various entities, including think tanks, non-governmental organizations (NGOs), and journalists.
Table of Contents
Cybercriminals Use Various Phishing Tactics to Compromise Victims
CharmingKitten frequently utilizes unconventional social-engineering techniques, such as engaging targets in prolonged email conversations before introducing links to unsafe content. Microsoft has disclosed that notable individuals working on Middle Eastern affairs have been singled out by this threat actor to disseminate malware like MischiefTut and MediaPl (also known as EYEGLASS), designed to extract sensitive information from compromised hosts.
The group, believed to be associated with Iran's Islamic Revolutionary Guard Corps (IRGC), has distributed various other backdoors, including PowerLess, BellaCiao, POWERSTAR (aka GorjolEcho), and NokNok, over the past year. This underscores their commitment to persist in their cyber attacks, adapting tactics and methods despite being publicly exposed.
Attackers Pose as Legitimate Entities to Trick Victims
The phishing attacks under scrutiny involved Charming Kitten operators adopting the guise of the Rasanah International Institute for Iranian Studies (IIIS) to initiate and establish trust with their targets.
These phishing attempts are notable for using compromised email accounts from legitimate contacts, as well as multiple email accounts under the control of the threat actor, a practice known as Multi-Persona Impersonation (MPI).
The attack sequences typically involve RAR archives containing LNK files as the initial step to disseminate malware. The messages encourage potential targets to participate in a fraudulent webinar on subjects tailored to their interests. In one observed multi-stage infection scenario, BASICSTAR and KORKULOADER, PowerShell downloader scripts, were deployed.
The BASICSTAR Malware Collects Sensitive Information from Compromised Systems
BASICSTAR, identified as a Visual Basic Script (VBS) malware, exhibits capabilities such as collecting fundamental system information, executing remote commands from a Command-and-Control (C2) server and downloading and presenting a decoy PDF file.
Furthermore, certain phishing attacks are strategically designed to deliver distinct backdoors based on the targeted machine's operating system. Victims using Windows are subjected to compromise through POWERLESS. At the same time, Apple macOS users are exposed to an infection chain culminating in NokNok, facilitated by a functional VPN application containing embedded malware.
Researchers state that the threat actor demonstrates a high level of commitment to surveilling their targets, aiming to discern the most effective methods of manipulation and malware deployment. Moreover, CharmingKitten stands out among other threat actors by consistently launching numerous campaigns and deploying human operators to support their ongoing initiatives.
