Outsmarting APT35, a charming kitten

Insights

16/10/2024

Jos Clephas

Charming Kitten, also known as APT35, is a state-sponsored Iranian cyber-espionage group that is widely believed to operate on behalf of the Islamic Revolutionary Guard Corps (IRGC). ^[1] They focus on long-term operations targeting the US, Middle Eastern military, and organisations in engineering, business services and other sectors.

When Nerium was called to respond remotely to an incident in the Middle East, it became clear that the organisation had been compromised for months. Cybercriminals had been operating under the radar, siphoning off valuable email data undetected, and if it hadn’t been discovered by chance, the breach might still have been active. Through thorough analysis, we identified the attack as linked to Charming Kitten, also known as APT35, APT42, Mint Sandstorm, and Nexus Group.

‍

Covert operations

Using Cyclops malware and web shells while meticulously erasing their tracks and adapting their methods, the adversaries had covertly embedded themselves into the organisation’s systems. Our investigation revealed compelling evidence from IP addresses, custom (Go-based) malware, domains, observed Tactics, Techniques, and Procedures (TTPs), and detailed activity pattern analysis. Additionally, we noticed that all adversary activity over a six-month period occurred exclusively during Islamic business hours, with a notable silence on Fridays - a traditional day of rest in many Muslim countries. Taken together, this evidence allowed us to confidently attribute the attack to state-sponsored actors, with the Iranian government as the likely culprit.

‍

‍

All but charming

‍APT35 has carved out a reputation for targeting military, diplomatic, and government personnel, particularly in the U.S. and the Middle East. Their reach extends beyond these sectors, infiltrating media, energy, defence, engineering, business services, telecommunications, and, possibly also, US elections. ^[1] And while the name might be charming, the tactics employed by Iranian-sponsored adversaries are anything but.

‍

Cyclops malware‍

In this case, the attackers sought to maintain permanent access by planting custom webshells on the organisation’s Outlook Web Access (OWA) servers. These webshells allowed them to remotely control the servers, run commands, and access sensitive files. Attempts were also made to install Cyclops malware, but those efforts failed. Written in Go, this newly discovered malware platform — likely developed as a successor to BellaCiao ^[2] — allows its operators to execute arbitrary commands on the target’s file system and pivot within the infected network.

‍

Classic con blunder

‍For over half a year, the attackers achieved operational success by exfiltrating a significant amount of email data — and they might have still been harvesting it if they hadn’t let their guard down. After securing the stolen data, the adversary became overconfident and careless. A classic con blunder that ultimately resulted in their discovery. In their attempt to access additional servers, they triggered multiple alarms in Defender, which was promptly picked up by the security monitoring team.

‍

Rapid and proactive response

When Nerium was called in, our incident response expertise in identifying and neutralising advanced threats was crucial. Our rapid and proactive response not only mitigated the immediate danger but also succeeded in removing the attackers from the digital environment and making it more difficult for them to infiltrate again. With the client’s system recording screen activity, including that of the adversary, we were offered a rare insight into the attackers' operations, allowing us to pinpoint their methods with high precision.

Investigating the incident was essential, as understanding what had occurred is key to preventing future breaches. Through our analysis, we obtained critical intelligence on Charming Kitten's techniques, including their use of malicious PowerShell scripts to export email data, the command-line version of PuTTY for data exfiltration, and Cyclops malware to maintain persistence within the compromised systems.

‍

Securing the strike zone

‍We developed specific detection rules and Indicators of Compromise (IoCs) to help identify similar threats in the future, including YARA rules to detect the presence of webshells and Cyclops malware. To counter the threats posed by Charming Kitten, we offered strategic advice on damage containment, recommending the isolation of affected systems to prevent a game of whack-a-mole with the adversaries. Knowing that cybercriminals often re-establish access through alternate backdoors the moment one is removed, we waited to isolate the attack until we were confident that all backdoors had been identified. This approach ensured that if the attackers attempted to regain access, we would quickly detect any new activity within the IT infrastructure we were investigating, ultimately preventing further breaches.

‍

Sharing is winning

‍Building on years of experience in incident response, we successfully contained this threat. But we wouldn’t have been able to catch this Iranian cat without the collaboration of our colleagues and fellow professionals. At Nerium, we believe in the power of shared knowledge to strengthen our defences and enhance our responses to emerging threats. That’s why, paying it forward, we have distilled the lessons learned from this incident into actionable steps that other organisations can take to safeguard their IT environments. By openly sharing our findings, including Tactics, Techniques, and Procedures (TTPs), we aim to empower others with the tools needed to recognise and respond to similar threats. Cybersecurity is a collective effort - a game only won by working together.

‍

MITRE ATT&CK

‍This MITRE ATT&CK table offers insights into the TTPs employed by APT35, enabling the wider threat intelligence community to counter attacks by recognising behavioural patterns. We urge incident response and security teams to apply these insights to detect and respond effectively to APT35.

Detection name: Multiple-enumeration-PowerShell-cmdlet-used
Frequency: Every hour
Alert Title: Multiple PowerShell cmdlet which are used for enumeration of email environment have been observed on a single device within 10 minutes
Severity: Medium
Category: Persistence
MITRE techniques: T1087.003 Email Account
Recommended actions: Look at the command line and see if anything stands out. Also take a look at the script and see if it has been used more often in the environment.
Impacted entities: Device > DeviceID

Kusto Query:
DeviceEvents
| where Timestamp > ago(1h)
| where ActionType == @"PowerShellCommand"
| where parse_json(AdditionalFields).Command in (
   'Get-Mailbox',
   'Get-MailboxExportRequest',
   'Remove-MailboxExportRequest',
   'New-MailboxExportRequest',
   'Set-Content',
   'Start-Sleep'
)
| extend Command = tostring(parse_json(AdditionalFields).Command)
| where InitiatingProcessFileName !in ("monitoringhost.exe", "monad.exe")
| summarize dcount(Command), FirstReportId=arg_min(Timestamp, ReportId), make_set(Command), make_set(InitiatingProcessCommandLine) by DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessSHA1, bin(Timestamp, 10m)
| where dcount_Command >= 3

‍

Detection & mitigation‍

To support our fellow cyber security experts in hunting and identifying adversary activities discussed in this blog, we offer detection rules in the form of KQL queries for use in Defender. Additionally, we provide YARA rules to identify custom webshells on web servers and detect possible Cyclops malware running in memory.

‍

KQL queries

‍

Yara rules

Rule Name: Webshell_ASPNet_Detection
Description: Detects ASP.NET webshells
Author: Nerium
Date: 2024-08-01
Version: 1.1

Strings:
// Commonly used namespaces in the provided webshell:
- $namespace1 = "<%@ Import Namespace=\"System\" %>"
- $namespace2 = "<%@ Import Namespace=\"System.IO\" %>"
- $namespace3 = "<%@ Import Namespace=\"System.Diagnostics\" %>"
- $namespace4 = "<%@ Import Namespace=\"System.Runtime.InteropServices\" %>"
- $namespace5 = "<%@ Import Namespace=\"System.Security.Cryptography\" %>"
- $namespace6 = "<%@ Import Namespace=\"System.Management\" %>"
- $namespace7 = "<%@ Import Namespace=\"System.Management.Instrumentation\" %>"

// Commonly used directives:
- $assembly = "<%@ Assembly Name=\"System.Management,Version=2.0.0.0,Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A\"%>"
- $page = "<%@ Page Language=\"C#\" validateRequest=\"false\" %>"

// Specific class and function names:
- $class = "public class DriveSettings"
- $dllimport1 = "[DllImport(\"mpr.dll\")] "
- $dllimport2 = "private static extern int WNetAddConnection2"
- $dllimport3 = "private static extern int WNetCancelConnection2"
- $function1 = "public static void MapNetworkDrive"
- $function2 = "public static int DisconnectNetworkDrive"
- $function3 = "public static bool IsDriveMapped"

- $string1 = "BE2E3E996C75B2B58BF2986D15139B692BD545F4"
- $string2 = "theform.__EVENTARG.value=eventArgument;"

- $string4_01 = "ip;command;user;pass"
- $string4_02 = "Invoke Command"

- $string5_01 = "btnMapDrive"
- $string5_02 = "txtMapDrive"
- $string5_03 = "txtMapUserName"
- $string5_04 = "txtMapPassword"

Condition:
At least 6 of the defined strings must be found:
- (6 of ($namespace1, $namespace2, $namespace3, $namespace4, $namespace5, $namespace6, $namespace7, $assembly, $page, $class, $dllimport1, $dllimport2, $dllimport3, $function1, $function2, $function3)) or
- ($string1 or $string2) or
- ($string4_01 and $string4_02) or
- ($string5_01 and $string5_02 and $string5_03 and $string5_04)

‍

Network-based indicators

Value
autoupdate[.]uk
servicesupdate[.]info
mailupdate[.]info
maill-support[.]com
Systemupdate[.]info
msn-service[.]co
Twittsupport[.]com

IP Address	Autonomous System Number	Autonomous System Label	Country
88.80.145[.]122	44901	Belcloud LTD	Serbia
88.80.145[.]126	44901	Belcloud LTD	Serbia

‍

Host-based indicators

Filename	MD5	SHA1	SHA256
Calc.exe	fce5f94b5d09b2e31e72fa75dec7a789	e034ccd0ea7c430433ea4d43f24f3287da67557a	052526ce7b968d597de8d110c390478502021b30932f932d3a3e918d9e5e2c07
Calc.exe	ef158593b9a5a029f7224a5390f0ca06	de43f57f44c301a88fb836c7daf87d7da4f91eb4	544b32520d0ac0d9eed8f23b8f98acb07b95b7cdbe14145c43f4c74a20d58c97
Calc.exe	5f7554d8092add71caa42f14017d685f	60c7d20a99473a5ac66302e4509e738b0df71ee4	ba6c9ec6be6af2dad0972636e2cae3c2e34265b0c1f9fa61045af2e0a0ecdaae
Calc.exe	b2c6cbc70f9b15f177c3e7f702df880b	7cda8775f8e239440c87815e513320227976fac2	01c57c14c413c3724753a630b2a5e3a4ad2dc2d22a478d16645d544de0342766
p.exe	f144cf99e320ab24f51a026e340b75f7	f2fd79f1b928647a8f38a6481e93a89bb4944399	7129a84a729eae4f6eb8da1ff6bfc2b6a0659173ca7306c4925deb371a4bf5c5
ExchCheck.ps1	3e09379853b6f979925d9ae0293b79d4	a23476603c138d848b4c51e3e586f179b61cf172	c09d9a65d117717e373123a9dd5d39232497dec6d56ea283723ff395c2d1c344
2024.exe	6c3497c5d5f448278e1224b6dec02811	9323328910a2dea1ec8f56f1508c72bb81666d3c	f06da3349a5c690a7893d5503e1a31a4632c833fec7645f4ac1a72f92a7a7b6a
Mws.exe	deaff9598e3771d6148fe16c79489c1e	7f5cf116c2ce8b3e69f5d3a1e35fd973eb98cb77	1bc856b397002e27dd7a91adcdf018dddfe36e16f8b6d5bc29ad7659ffd7b149
Libxml2.dll	f6f2d629923207366be1c5da9fe4030d	2ce31eacb1dfd7936164f27b8e22bdd83e49bbcc	6aa8b4e01116bec047c98bfd723d4c23f3ab297133f1e4eb52e9fbcef7bc7f38
2024-06-14T14-32.dll	d78beb09ebb3bd843267b048bbb32fcf	abf22ebe1d7593a0df54e1dda6fbbb6952a58ba1	1cf3c2d7fcce2ab5215726c3e4bbe637d4e53caa9e3657186502af09777fe1e8
Config.aspx	d771d14675fdde2df5afa93748f81a8b	5208d587bef0278022410cae71f481f2be516c27	52790e90a877e96706637c48679e44a36d7162a87d1833702c6f3fcdd4747f12
configs.aspx	5b3c416a3a496edcf641f20db187546f	385679248c82cb0c6b035785576a1ddaee8c92fc	2cdbf474d62a3922f7b311b0eb7166b91c998d4f4e275772c0ac1423edd8619b
SenseCE.exe	eff3dd8a8aa1d0874f67e515bb0bf6cc	ee029af7104be2b3263f4a6e5a84e7ee3a3a6517	8bc928d3cf488d4b760cd895a9d94f7b12a7718a09590a1ffa6e523669a22f8a