Cybersecurity researchers have discovered a new network infrastructure created by Iranian threat actors to support activities related to recent attacks on political campaigns in the United States.
Insikt group Recorded Future has linked the infrastructure to a threat it tracks as GreenCharlie, an Iran-linked cyber threat group that overlaps with APT42, Charming Kitten, Damselfly, Mint Sandstorm (formerly Phosphorus), TA453 and Yellow Garuda.
“The group’s infrastructure is meticulously designed using dynamic DNS (DDNS) providers such as Dynu, DNSEXIT and Vitalwerks to register domains used in phishing attacks,” the cybersecurity firm said in a statement. said.
“These domains often use deceptive themes related to cloud services, file sharing, and document visualization to lure targets into revealing sensitive information or downloading malicious files.”
Examples include terms such as “cloud”, “uptimezone”, “doceditor”, “cloud join” and “page viewer”, among others. Most domains were registered using the .info top-level domain (TLD), a departure from the previously observed .xyz, .icu, .network, .online, and .site TLDs.
The adversary is experienced in conducting targeted phishing attacks that use extensive social engineering techniques to infect users with malware such as POWERSTAR (aka CharmPower and GorjolEcho) and HARBALwhich was recently identified by Google-owned Mandiant as being used in campaigns against Israel and the US
GORBLE, THE DOMESTIC CATand POWERSTAR are rated as variants of the same malware, a series of PowerShell implants that have been continuously developed and deployed by GreenCharlie over the years. It should be noted that Proofpoint detailed the dubbing of another POWERSTAR successor blacksmith which was used in a phishing campaign targeting a prominent Jewish figure in late July 2024.
The infection process is often multi-step, which involves gaining initial access via phishing, then establishing communication with command and control (C2) servers, and ultimately stealing data or delivering an additional payload.
Recorded Future’s findings show that the threat has registered a large number of DDNS domains since May 2024, with the company also identifying links between Iranian IP addresses (38.180.146(.)194 and 38.180.146(.)174) and GreenCharlie infrastructure during from July to August 2024.
In addition, a direct connection between GreenCharlie clusters and the C2 servers used by GORBLE was discovered. The operations are believed to be facilitated using Proton VPN or Proton Mail to hide their activities.
“GreenCharlie’s phishing operations are highly targeted, often using social engineering techniques that exploit current events and political tensions,” Recorded Future said.
“The group has registered numerous domains since May 2024, many of which are likely to be used for phishing activities. These domains are linked to DDNS providers that allow IP addresses to change quickly, making it difficult to track the group’s activities.”
Disclosure occurs against the background of a escalating Iranian malicious cyber activity against the US and other foreign targets. Earlier this week, Microsoft revealed that several sectors in the US and UAE were targeted by an Iranian threat actor codenamed Peach Sandstorm (aka Refined Kitten).
Additionally, US government agencies said another Iranian hacker group, the state-backed Pioneer Kitten, was working as an Initial Access Broker (IAB) to facilitate ransomware attacks against the education, financial, health, defense and government sectors in USA in collaboration with Team NoEscape, RansomHouse and BlackCat.
