Cybersecurity researchers discovered several new tools used by Charming Kitten after multiple errors appeared in OpSec. One of these kits is utilised for harvesting data from targeted Telegram accounts.
Moreover, the researchers have found that the attackers had used strategies employed by the Iranian Islamic Revolutionary Guard Corps. Charming Kitten adopted the strategy to execute a surveillance campaign last year.
The adversary has also been exploiting a macro-enabled Word document template to distribute malware since last March.
Charming Kitten used Android malware to compromise Telegram users.
The features of the new Telegram grabber tool Charming Kitten use overlap with the ones used by an Android malware called PINEEFLOWER.
The malware was used against domestic targets last year to acquire access to Telegram features such as contacts and messages. It is coded in C++ and utilises the open-source Telegram Database Library.
The malware author designed the tool to exfiltrate information such as associated media, messages, and contact details from its targets’ Telegram accounts. The tool also has the choice to view the password clues and send an access code through the victims’ recovery email address. This detail allows the adversaries to acquire unauthorised access to a Telegram account and execute additional activities.
The stolen data is then kept within an SQLite database and in JSON-type format.
Charming Kitten was also spotted by researchers deploying macro-enabled Word document template files to drop malicious payloads between January and March. The attack was the first time the threat actors were found utilising remote template injection as part of their threat campaign.
Most attack baits used material from legitimate media sites and news. Once the target activates the malicious macros, it will cause the download of the PowerShell backdoor dubbed CharmPower.
Experts noticed that Charmin Kitten constantly adds new tools to its weapons. These new tactics also imply that the threat actors have been active in adding new parts to their attack chain.
