Short Summary
Insikt Group has reported a rise in cyber threat activity from GreenCharlie, an Iran-nexus group targeting US political and government entities. They employ sophisticated phishing operations and malware like GORBLE and POWERSTAR, utilizing dynamic DNS providers for their infrastructure.
Key Points
- Group Identity: GreenCharlie, linked to Iran and associated with Mint Sandstorm, Charming Kitten, and APT42.
- Target Audience: US political campaign officials, government entities, and strategic assets.
- Malware Used: GORBLE and POWERSTAR, both designed for espionage through spearphishing.
- Infrastructure: Utilizes dynamic DNS (DDNS) providers for domain registration, facilitating phishing attacks.
- Phishing Techniques: Employs social engineering tactics related to current events and political tensions.
- Obfuscation Methods: Use of ProtonVPN and ProtonMail to hide activities.
- Multi-Stage Infection: Initial access via phishing, followed by communication with command-and-control servers for data exfiltration.
MITRE ATT&CK TTPs – created by AI
- Phishing (T1566)
- Utilizes deceptive themes related to cloud services and document visualization to lure targets.
- Command and Control (T1071)
- Establishes communication with C2 servers after initial access.
- Data Exfiltration (T1041)
- Exfiltrates data after establishing C2 communication.
- Obfuscated Files or Information (T1027)
- Employs ProtonVPN and ProtonMail for obfuscation of activities.
Insikt Group has identified a significant increase in cyber threat activity from GreenCharlie, an Iran-nexus group that overlaps with Mint Sandstorm, Charming Kitten, and APT42. Targeting US political and government entities, GreenCharlie utilizes sophisticated phishing operations and malware like GORBLE and POWERSTAR. The group's infrastructure, which includes domains registered with dynamic DNS (DDNS) providers, enables the groups phishing attacks.
GreenCharlies Persistent Threat
Since June 2024, Insikt Group has tracked infrastructure linked to GreenCharlie, an Iran-nexus cyber threat group with connections to Mint Sandstorm, Charming Kitten, and APT42. Insikt Group analysis linked GreenCharlie infrastructure to malware which is reported to have been used to target US political campaign officials, government entities, and strategic assets.
GreenCharlie is associated with malware, including POWERSTAR (also known as CharmPower and GorjolEcho) and GORBLE, the latter of which was identified by Google-Mandiant. Both GORBLE and POWERSTAR are variants of the same malware family, designed to enable espionage activity via spearphishing campaigns.
Iran and its associated cyber-espionage actors have consistently demonstrated both the intent and capability to engage in influence and interference operations targeting US elections and domestic information spaces. These campaigns are likely to continue utilizing hack-and-leak tactics aimed at undermining or supporting political candidates, influencing voter behavior, and fostering discord.
The groups infrastructure is meticulously crafted, utilizing dynamic DNS (DDNS) providers like Dynu, DNSEXIT, and Vitalwerks to register domains used in phishing attacks. These domains often employ deceptive themes related to cloud services, file sharing, and document visualization to lure targets into revealing sensitive information or downloading malicious files.
Recorded Futures Network Intelligence has identified multiple Iran-based IP addresses communicating with GreenCharlies infrastructure. The use of ProtonVPN and ProtonMail further indicates an attempt to obfuscate the groups activities, a common tactic among Iranian APTs.
GreenCharlies phishing operations are highly targeted, often employing social engineering techniques that exploit current events and political tensions. The group has registered numerous domains since May 2024, many of which are likely used for phishing activities. These domains are linked to DDNS providers, which allow for rapid changes in IP addresses, making it difficult to track the groups activities.
The malware deployed by GreenCharlie, including GORBLE and POWERSTAR, follows a multi-stage infection process. After initial access through phishing, the malware establishes communication with command-and-control (C2) servers, enabling the attackers to exfiltrate data or deliver additional payloads.
To read the entire analysis, click here to download the report as a PDF.
Source: Original Post