Iranian Spying Campaign Sent Holiday Greetings Riddled with Malware

Santa Claus waves to the crowd during the Macy’s Thanksgiving Day Parade on Nov. 27, 2014 in New York City.
Santa Claus waves to the crowd during the Macy’s Thanksgiving Day Parade on Nov. 27, 2014 in New York City.
Photo: Andrew Burton (Getty Images)

What did you ask for over the holidays? Surely not an infestation of foreign spies in your phone or laptop, but that’s the present you would’ve received had you been foolish enough to click on some very dodgy texts and emails swirling around the internet late last year.

Advertisement

An infamous Middle Eastern hacker cell, APT 35 (also known as “Charming Kitten”), recently launched a spear phishing campaign tailored to the festive December atmosphere: texts and emails wishing recipients a “Merry Christmas!” and a “Happy New Year!” that were, of course, loaded with spyware. This campaign was meant to ensnare high-level personnel in the U.S., Europe and the Middle East that Iranian intelligence services are interested in, said researchers with security research firm CERTFA.

“May this festive season sparkle and shine, may all your wishes and dreams come true, and may you feel this happiness all year round. Merry Christmas!” said one email, asking the reader to click on a link to their new e-book. “This year I decided to make my friends happy with my last book. Here’s my special Xmas gift to you. Hope you enjoy it,” reads another.

“Kitten,” a longstanding threat group connected to the Iranian government, is known for conducting lengthy intelligence-gathering operations via campaigns frequently targeted at U.S. diplomats and defense officials, according to FireEye researchers. In this particular case, Kitten’s campaign was targeted at a whole assortment of high-level professionals, including “members of think tanks, political research centers, university professors, journalists, and environmental activists,” researchers said.

Kitten’s campaign also used complex obfuscation methods to hide its malicious origins. The messages were sent using legitimate Google URLs which would’ve lulled the recipient into a false sense of security. Clicking on the link, however, hurled the victim through a series of re-directions that would ultimately bypassed standard security protections and land them on a malware-laden webpage, researchers said.

This latest campaign is just one of APT 35's many dirty tricks. Even more disturbing and impressive is the group’s track record when it comes to social engineering strategies, as they have been known to leverage large networks of fake social media personas as a means of targeting victims. Sometimes creating fake “journalists” using sock puppet accounts, the hackers have frequently been able to worm their way into systems by asking organizations and people for “interview requests”—a strategy that ultimately landed them the nickname “The Newscaster Team.”

Truly a reminder of online stranger danger: if you don’t know the sender, probably best not to read their e-book.

Advertisement

Staff writer at Gizmodo

DISCUSSION

arcanumv
Arcanum Five

Sorry, Persia. Not this time.

(But we will take more of that gold, frankincense, and myrrh if you’re offering.)