Adrian Johnson
TLDR:
- Iranian hackers set up new network infrastructure to target U.S. political campaigns
- The group uses sophisticated phishing attacks and malware like POWERSTAR and GORBLE
Cybersecurity researchers have uncovered a new network infrastructure set up by Iranian threat actors, known as GreenCharlie, to support activities targeting U.S. political campaigns. This group overlaps with other known threat groups such as APT42, Charming Kitten, and TA453. The infrastructure is meticulously crafted using dynamic DNS providers like Dynu and DNSEXIT to register domains for phishing attacks.
The group’s phishing operations are highly targeted and employ social engineering techniques to exploit current events and political tensions. They have registered numerous domains since May 2024, many of which are likely used for phishing activities. These domains are linked to DDNS providers, allowing for rapid changes in IP addresses to evade detection.
The threat actors have a track record of using malware like POWERSTAR and GORBLE in their campaigns. These malware variants are constantly evolving and are deployed through multi-stage attacks involving phishing, establishing communication with command-and-control servers, and exfiltrating sensitive data.
Recorded Future’s findings also show a direct link between GreenCharlie clusters and C2 servers used by GORBLE, indicating a coordinated effort in their operations. The group is believed to use Proton VPN or Proton Mail to obfuscate their activities and avoid detection.
This disclosure comes amidst a rise in Iranian malicious cyber activity targeting the U.S. and other foreign entities. It was revealed that multiple sectors in the U.S. and the U.A.E. are being targeted by Iranian threat actors codenamed Peach Sandstorm. Additionally, another Iranian state-backed hacking crew, Pioneer Kitten, has been involved in facilitating ransomware attacks against various sectors in the U.S.
