Cybersecurity researchers have discovered new network infrastructure created by Iranian threat actors to support activities related to the recent targeting of U.S. political campaigns.
Recorded Future’s Insikt Group has tied the infrastructure to a threat it monitors as GreenCharlie, an Iran-associated cyber threat group that overlaps with APT42, Charming Kitten, Damselfly, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda.
“The group’s infrastructure is carefully constructed, utilizing dynamic DNS (DDNS) providers like Dynu, DNSEXIT, and Vitalwerks to register domains used in phishing attacks,” the cybersecurity company stated.
“These domains often use deceptive themes related to cloud services, file sharing, and document visualization to entice targets into revealing sensitive information or downloading malicious files.”
Examples include terms like “cloud,” “uptimezone,” “doceditor,” “joincloud,” and “pageviewer,” among others. Most of the domains were registered using the .info top-level domain (TLD), a shift from the previously observed .xyz, .icu, .network, .online, and .site TLDs.
The attacker has a history of conducting highly targeted phishing attacks that utilize extensive social engineering techniques to infect users with malware like POWERSTAR (aka CharmPower and GorjolEcho) and GORBLE, which was recently recognized by Google-owned Mandiant as being used in campaigns against Israel and the U.S.
GORBLE, TAMECAT, and POWERSTAR are believed to be versions of the same malware, a series of evolving PowerShell implants deployed by GreenCharlie over time. It is important to note that Proofpoint disclosed another POWERSTAR successor named BlackSmith that was used in a spear-phishing campaign targeting a prominent Jewish figure in late July 2024.
The infection process usually involves multiple stages, starting with initial access through phishing, followed by establishing communication with command-and-control (C2) servers, and finally exfiltrating data or deploying additional payloads.
Recorded Future’s research shows that the threat actor registered a large number of DDNS domains since May 2024, with the company also identifying communications between Iran-based IP addresses (38.180.146[.]194 and 38.180.146[.]174) and GreenCharlie infrastructure between July and August 2024.
Moreover, a direct connection has been found between GreenCharlie clusters and C2 servers used by GORBLE. It is believed that the operations are conducted using Proton VPN or Proton Mail to conceal their activity.
“GreenCharlie’s phishing operations are highly targeted, often employing social engineering techniques that exploit current events and political tensions,” Recorded Future said.
“The group has registered numerous domains since May 2024, many of which are likely used for phishing activities. These domains are linked to DDNS providers, which allow for rapid changes in IP addresses, making it difficult to track the group’s activities.”
This disclosure comes amidst a rise in Iranian malicious cyber activity against the U.S. and other foreign targets. Microsoft recently revealed that several sectors in the U.S. and the U.A.E. are under threat from an Iranian threat actor known as Peach Sandstorm (aka Refined Kitten).
Additionally, U.S. government agencies have reported another Iranian state-backed hacking group, Pioneer Kitten, acting as an initial access broker (IAB) to facilitate ransomware attacks on education, finance, healthcare, defense, and government sectors in the U.S. in collaboration with NoEscape, RansomHouse, and BlackCat groups.
