New Network Established by Iranian Cybercriminals to Focus on U.S. Political Campaigns
An investigation by cybersecurity experts has revealed a new network established by Iranian hackers to aid their recent attacks on U.S. political campaigns.
According to Recorded Future’s Insikt Group, the infrastructure has been linked to GreenCharlie, a cyber threat group associated with Iran, as well as APT42, Charming Kitten, Damselfly, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda.
“The hacker group’s network is skillfully designed, using dynamic DNS (DDNS) services like Dynu, DNSEXIT, and Vitalwerks to register domains used in fraudulent activities,” stated the cybersecurity firm.
“These domains frequently employ misleading themes related to online services, file sharing, and document display to entice targets into divulging confidential information or downloading harmful files.”
Examples consist of terms like “cloud,” “uptimezone,” “doceditor,” “joincloud,” and “pageviewer,” among others. A majority of the domains were registered with the .info top-level domain (TLD), a departure from the previous use of .xyz, .icu, .network, .online, and .site TLDs.
The adversary specializes in executing highly-targeted phishing attacks that utilize elaborate social engineering tactics to introduce users to malware like POWERSTAR (aka CharmPower and GorjolEcho) and the recently identified GORBLE, which was used in operations against Israel and the U.S.
GORBLE, TAMECAT, and POWERSTAR are believed to be variations of the same malware, a series of continually evolving PowerShell implants deployed by GreenCharlie over time. It’s interesting to note that Proofpoint disclosed another variant of POWERSTAR called BlackSmith, used in a spear-phishing campaign against a prominent Jewish individual in late July 2024.
The process of infection typically involves multiple stages, starting with initial infiltration through phishing, followed by linking up with command-and-control (C2) servers, and ultimately stealing data or distributing additional payloads.
Recorded Future’s analysis shows that the threat actor has registered numerous DDNS domains since May 2024, with the company detecting communications between Iran-based IP addresses (38.180.146[.]194 and 38.180.146[.]174) and GreenCharlie infrastructure from July to August 2024.
Moreover, a direct connection has been uncovered between GreenCharlie clusters and the C2 servers used by GORBLE, with indications that the operations are obscured through the use of Proton VPN or Proton Mail.
“GreenCharlie employs pinpoint phishing tactics, often leveraging social engineering strategies that exploit ongoing events and political rivalries,” stated Recorded Future.
“The group has registered multiple domains since May 2024, many of which are likely involved in phishing activities. These domains are associated with DDNS providers, enabling rapid IP address changes to complicate tracking of the group’s operations.”
This revelation comes amidst an escalation of Iranian cyber operations against the U.S. and other international targets. Recently, Microsoft reported that various sectors in the U.S. and the U.A.E. are under threat from an Iranian group known as Peach Sandstorm (also called Refined Kitten).
Furthermore, U.S. government bodies have identified another Iranian state-supported hacking faction, Pioneer Kitten, which has been involved in coordinating ransomware attacks in collaboration with NoEscape, RansomHouse, and BlackCat groups targeting education, finance, healthcare, defense, and government sectors in the U.S.
About Author
