Cybersecurity researchers have uncovered new network infrastructure set up by Iranian threat actors to help exercises connected to the new targeting of U.S. political campaigns.
Recorded Future’s Insikt Gathering has connected the framework to a threat it tracks as GreenCharlie, an Iran-nexus cyber threat group that overlaps with APT42, Charming Kitten, Damselfly, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda.
“The group’s infrastructure is meticulously crafted, utilizing dynamic DNS (DDNS) providers like Dynu, DNSEXIT, and Vitalwerks to register domains used in phishing attacks,” the cybersecurity company said.
“These domains often employ deceptive themes related to cloud services, file sharing, and document visualization to lure targets into revealing sensitive information or downloading malicious files.”
Examples include terms like “cloud,” “uptimezone,” “doceditor,” “joincloud,” and “pageviewer,” among others. A majority of the domains were registered using the .info top-level domain (TLD), a shift from the previously observed .xyz, .icu, .network, .online, and .site TLDs.
The adversary has a history of carrying out highly-targeted phishing attacks that make extensive use of social engineering to infect users with malware like POWERSTAR (also known as CharmPower and GorjolEcho) and GORBLE, which was recently discovered by Google-owned Mandiant to have been used in campaigns against Israel and the United States.
GORBLE, TAMECAT, and POWERSTAR are thought to be variants of the same malware, which is a collection of PowerShell implants It’s important to note that Proofpoint described another POWERSTAR successor known as BlackSmith, which was used in a spear-phishing campaign in late July 2024 to target a prominent Jewish figure.
Phishing is often the first step in the infection process, which then involves establishing communication with command-and-control (C2) servers, exfiltrating data, or delivering additional payloads, to gain access.
Recorded Future’s discoveries show that the threat actor enrolled an enormous number of DDNS domains since May 2024, with the organization likewise distinguishing correspondences between Iran-based IP addresses (38.180.146[.]194, 38.180.146[.]174), GreenCharlie infrastructure between July and August 2024.
In addition, GORBLE’s C2 servers and GreenCharlie clusters share a direct connection. It is thought that Proton VPN or Proton Mail facilitate the operations in order to conceal their activity.
“GreenCharlie’s phishing operations are highly targeted, often employing social engineering techniques that exploit current events and political tensions,” Recorded Future said.
“The group has registered numerous domains since May 2024, many of which are likely used for phishing activities. These domains are linked to DDNS providers, which allow for rapid changes in IP addresses, making it difficult to track the group’s activities.”
The disclosure comes as Iranian malicious cyber activity against the United States and other foreign targets is increasing. Microsoft revealed earlier this week that an Iranian threat actor with the codename Peach Sandstorm (also known as Refined Kitten) is targeting a variety of industries in the United States and the United Arab Emirates.
Another Iranian state-backed hacking group, Pioneer Kitten, was reportedly working as an initial access broker (IAB) for the purpose of facilitating ransomware attacks against the education, finance, healthcare, defense, and government sectors in the United States in collaboration with the NoEscape, RansomHouse, and BlackCat crews, according to U.S. government agencies.
