Iranian-linked hackers pose as journalists in the email scam campaign

Charming Kitten hackers sent out fake requests for interviews impersonating New York Times journalists

Iranian government-linked hackers attempted to steal email login information by targetting people with fake interview offers from journalists.^[1] Iranian activists, other journalists, people from academia, permanently living in other countries got emails from the Charming Kitten hackers, also known as phosphorus, APT35, or Ajax Security Team.^[2]

Iranian-born German academic Erfan Kasraie got the email from The Wall Street Journal with the request for an interview and reported the suspicious activity and red flags:

• the email came from a well-known journalist but sounded like the letter from a fan;
• the alleged journalist works for a different source, not the claimed WSJ;
• the message stated that the interview would be about important receivers’ achievements;
• after the agreement to get interviewed, people receive a redirect that requires Google account passwords before the questionnaire can be seen.

The campaign targeted people who don’t live in Iran anymore, and reports stated that hacking attempts are linked with a known Charming Kitten group, even though Iran denies operating or supporting any hacker groups. Hacking campaigns related to the Iranian government got reported many times before.^[3]

Attempt to break into email accounts and inject customized malware

The phishing campaign aimed to get the credentials of valuable accounts and obtain information. The letter included links to legitimate-looking websites injected with malicious code, allowing malicious actors to collect needed information. This method recorded IP addresses, details about the operating system, web browsers, and other data needed for targeted malware attacks.^[4]

The email that was sent out to Iranians living in other countries (translation):

Hello 
My name is Farnaz Fasihi. I am a journalist at the Wall Street Journal newspaper.
The Middle East team of the WSJ intends to introduce successful non-local individuals in developed countries. Your activities in the fields of research and philosophy of science led me to introduce you as a successful Iranian. The director of the Middle East team asked us to set up an interview with you and share some of your important achievements with our audience. This interview could motivate the youth of our beloved country to discover their talents and move toward success.
Needless to say, this interview is a great honor for me personally, and I urge you to accept my invitation for the interview.
The questions are designed professionally by a group of my colleagues and the resulting interview will be published in the Weekly Interview section of the WSJ. I will send you the questions and requirements of the interview as soon as you accept.
*Footnote: Non-local refers to people who were born in other countries.
Thank you for your kindness and attention.
Farnaz Fasihi

Once the victim agrees to answer questions, a website with the download form appears. Google Sites hosted page shows the logo of a said news source and button that triggers a direct download. This method leads to a phishing site where email login information and the two-factor authentication code get asked. Charming Kitten used this technique to steal Google verification codes from users via fake SMS before.^[5] 

Sophisticated Charming Kitten malware

Researchers investigated the campaign and revealed the new malware from this group that changes settings in Windows Firewall and the Registry. The payload named pdfReader.exe got used in the first stages of the attack. Then, the threat uses additional functions of a backdoor and allows remote access to hackers who can deploy additional activities. At this stage, details gathered on the questionable site before can be used to customize the malware attack. Apparently the same malware has a few versions because different samples got discovered. 

Such a technique when third-party services get weaponized became a popular trend amongst malicious actors. This method allows attackers to evade anti-spam systems of email service providers while using normal URLs. Attackers hide their behavior behind legitimate Google Drive and other services and can get inside the web traffic and bypass firewalls. Three particular techniques got discovered in this campaign:

• phishing pages hosted as HTML files on GCS to steal information from victims via the login forms;
• additional presentation hosting to redirect users to pages using phishing kits;
• automatic redirects from GCS to servers relying on phishing techniques.