Researchers at Recorded Future’s Insikt Group warn that the Iranian state-sponsored threat actor “GreenCharlie” is launching spear phishing attacks against US political campaigns.
“Insikt Group has identified a significant increase in cyber threat activity from GreenCharlie, an Iran-nexus group that overlaps with Mint Sandstorm, Charming Kitten, and APT42,” the researchers write.
“Targeting US political and government entities, GreenCharlie utilizes sophisticated phishing operations and malware like GORBLE and POWERSTAR. The group's infrastructure, which includes domains registered with dynamic DNS (DDNS) providers, enables the group’s phishing attacks.”
GreenCharlie uses social engineering as an initial access vector to deploy malware. Its goal is often to steal and leak information for disruptive purposes.
“Iran and its associated cyber-espionage actors have consistently demonstrated both the intent and capability to engage in influence and interference operations targeting US elections and domestic information spaces,” the researchers write. “These campaigns are likely to continue utilizing hack-and-leak tactics aimed at undermining or supporting political candidates, influencing voter behavior, and fostering discord.”
The threat actor exploits dynamic DNS services to direct users to phishing sites that impersonate popular productivity tools.
“The group’s infrastructure is meticulously crafted, utilizing dynamic DNS (DDNS) providers like Dynu, DNSEXIT, and Vitalwerks to register domains used in phishing attacks,” the researchers write. “These domains often employ deceptive themes related to cloud services, file sharing, and document visualization to lure targets into revealing sensitive information or downloading malicious files.”
Insikt Group concludes that political and government entities in the US should be on the lookout for social engineering tactics.
“While our research will continue to examine the domains, infrastructure, network intelligence, and malware, we recommend that interested parties pay increased attention to the traditional avenues Iranian APTs use to target their victims, which is predominantly via social engineering and spearphishing emails,” the researchers write. “Iranian APTs like to directly engage with targets via encrypted chats, SMS, and video calls to deliver malicious files.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Recorded Future has the story.