New Threat Research: MalSync Teardown: From DLL Hijacking to PHP Malware for Windows  

Read Threat Research

Search

Phosphorus Group Found to be targeting Researchers in the U.S.

Phosphorus/Charming Kitten(APT35): Originally reported on October 8th by Microsoft, the Iran-linked Phosphorus group was found to medaling in the upcoming 2020 presidential election by targeting the emails of people that are close to the elections. Now, researchers at ClearSky have put out a warning to security researchers in the United States, the Middle East, and France. These researchers are being targeted in relation to academic research, human rights, and journalists. Four new attack styles were identified for the group including spear-phishing linked to Google sites, login attempt messaging, Social Network impersonation and Smishing. All four of the attacks are related to spear-phishing and they are likely rotating through the different styles, depending on their targets. The Google impersonation technique uses a message that has a link pretending to arrive from a Google Drive document from other researchers. If the link is followed and the user logs in to view the document, the group will harvest their credentials. Fake login attempt email uses a fake email that is generated to convince the recipient that someone from North Korea has attempted a login on their account and urges the victim to secure their account. Social Networking impersonation has been used by the group before, utilizing alternate phishing websites and sharing them in places like Facebook, Instagram, and LinkedIn. Finally, the group has started sending spear-phishing messages through SMS texts with a link that will harvest the user credentials.

Analyst Notes

As previously stated, Iran has not typically been known in the past to target elections. In this case, because if the elevated tension between the United States and Iran, it appears Iran is carrying out waves of campaigns to collect information on what researchers know about Iran. At this point, is possible that these campaigns are just for collecting information and that at a future date we could possibly see these stolen credentials used for some other malicious purpose.