Iranian Hackers Target Middle East Policy Experts with New BASICSTAR Backdoor

19.02.2024

The Iranian-origin threat group known as Charming Kitten has been linked to a series of new attacks targeting Middle East policy experts. These attacks involve the use of a new backdoor named BASICSTAR, deployed through a fake webinar portal. Charming Kitten, also known as APT35, CharmingCypress, Mint Sandstorm, TA453, and Yellow Garuda, has a history of conducting social engineering campaigns primarily targeting think tanks, NGOs, and journalists.

Researchers from Volexity noted that CharmingCypress employs unique social engineering tactics, such as engaging targets in prolonged email conversations before delivering links to malicious content. Microsoft recently revealed that high-profile individuals involved in Middle Eastern affairs have been targeted by Charming Kitten to deploy malware like MischiefTut and MediaPl (aka EYEGLASS), capable of harvesting sensitive information.

Affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), Charming Kitten has distributed various backdoors, including PowerLess, BellaCiao, POWERSTAR (aka GorjolEcho), and NokNok over the past year. Despite public exposure, the group remains determined, adapting its tactics.

Phishing attacks observed between September and October 2023 involved Charming Kitten posing as the Rasanah International Institute for Iranian Studies (IIIS) to build trust with targets. The attacks feature the use of compromised email accounts and Multi-Persona Impersonation (MPI).

The attack chains typically use RAR archives with LNK files to distribute malware, urging targets to join a fake webinar on topics of interest. A multi-stage infection sequence deploys BASICSTAR and KORKULOADER, a PowerShell downloader script.

BASICSTAR, a Visual Basic Script (VBS) malware, gathers system information, executes commands from a command-and-control (C2) server, and downloads/display decoy PDF files. Some attacks serve different backdoors based on the operating system, with Windows victims compromised by POWERLESS and macOS victims targeted with NokNok through a VPN application.

CharmingCypress demonstrates a high level of commitment to surveillance and malware deployment, consistently conducting campaigns. Recorded Future also uncovered IRGC’s targeting of Western countries through a network of contracting companies specializing in surveillance and offensive technologies.

Iranian contracting companies, associated with the IRGC, act as “firewalls” concealing the sponsoring entity. These include Ayandeh Sazan Sepher Aria, DSP Research Institute, Sabrin Kish, Soroush Saman, Mahak Rayan Afraz, and the Parnian Telecommunication and Electronic Company. The individuals running these companies are closely tied to the IRGC, some even representing sanctioned entities.