Iran’s Cyberwar Escalates: “Charming Kitten” Deploys BASICSTAR

The Middle East has recently been engulfed by a new wave of cyberattacks orchestrated by the Iranian hacker collective known as Charming Kitten, also referred to as APT35 CharmingCypress and Mint Sandstorm. The hackers have deployed a novel malicious backdoor, dubbed BASICSTAR, targeting political analysts.

This faction engineered a counterfeit webinar portal, ostensibly under the guise of the International Institute of Iranian Studies, Rasana. This facade facilitated initial contact and garnered the trust of their victims. Targeted experts began receiving emails inviting them to online conferences on subjects of their interest.

Attached to these emails were malicious files that, once opened, installed BASICSTAR and other malicious software on the victims’ computers. The distribution of the backdoor utilized RAR archives containing LNK files.

Fundamentally, BASICSTAR is a malicious script written in Visual Basic Script. It is designed to collect basic system information, execute remote commands from the attackers, and download files. Upon installation, the system displays a decoy PDF to the victim to avoid arousing suspicion.

BASICSTAR was employed as the hackers’ primary tool. Additionally, depending on the target’s operating system, they deployed other malicious software: POWERLESS for Windows and NokNok for MacOS.

Experts have observed that Charming Kitten has been particularly active lately, continually refining their attack methodologies. The group meticulously studies its victims to select the most effective strategy.

“CharmingCypress often employs unusual social-engineering tactics, such as engaging targets in prolonged conversations over email before sending links to malicious content,” note researchers from Volexity.

It is suspected that Charming Kitten is affiliated with the Islamic Revolutionary Guard Corps and conducts cyber operations in its interest. They have previously launched campaigns against think tanks, NGOs, and journalists in the region.

In their latest attacks, the malefactors utilized compromised accounts of individuals personally known to the victims. Additionally, several fake email accounts were created. Some victims were convinced they were receiving messages from friends or colleagues. Experts refer to this tactic as Multi-Persona Impersonation (MPI).

Furthermore, the Charming Kitten group has registered numerous fictitious, ostensibly legitimate IT companies in Iran. These entities are engaged in developing cyber espionage and surveillance tools while concealing their direct connections to governmental structures.