Naked Security Naked Security

Microsoft slaps down 99 APT35/Charming Kitten domains

Court order in hand, Microsoft seized control of the hacker group's (which it calls Phosphorous) phishing sites.

Microsoft said on Wednesday that, with a court order in hand, it’s swatted 99 domains associated with the Iranian hacking group known as Charming Kitten (or APT35, or Ajax Security Team, or that Microsoft calls Phosphorus).

Microsoft said that its Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking the group since 2013. The group typically goes after computer systems of businesses and government agencies in order to steal sensitive information from industries including defense and entertainment.

It’s also targeted political dissidents, activists, government employees, and journalists – especially those involved in advocacy and reporting on issues related to the Middle East.

A kitten with a long history

Charming Kitten/Phosphorous/APT35 has been blamed for the 2017 attack on HBO that led to the leaking of 1.5TB of data, including un-aired episodes of several popular shows, a Game of Thrones script, staff contacts, account credentials, and financial data.

The group has also been linked to a defector from the US Air Force who fled to Iran and who was indicted in February for revealing top-secret information to the hackers, and was also allegedly behind a recent, sneaky phishing campaign that beat multifactor authentication (MFA).

Modi operandi de venuste catulus

In its criminal complaint, filed in the US District Court for the District of Columbia, Microsoft described the MO of Phosphorous as demonstrating skill and patience.

The group typically targets people’s personal accounts (as opposed to their work accounts) through spear phishing – using publicly available information to chat up a victim by dropping names, companies and/or content with which they’re familiar.

The hackers also use fake social media accounts to back them up as they social-engineer their way to information, including names of additional targets, and to convince victims to open up malicious attachments.

The group also sends emails crafted to look like there’s an issue with a victim’s account. They’ll use domain names that look like they’re tied to legitimate brands, and here’s where it gets personal for Microsoft and for Yahoo, which helped out in the investigation. Some of the domains it shut down the week prior to its announcement included, for example, yahoo-verify.net, outlook-verify.net, microsoft-update.bid, and verify-linkedin.net (LinkedIn being a Microsoft-owned company).

The hacking group also rigs up typosquatting domains. The full list of domains that Microsoft seized control of are listed in Appendix A of the criminal complaint.

Microsoft says that Phosphorous will sometimes disguise their command and control domains by using the names and trademarks of well-known companies, including “Microsoft”, Windows “Live”, and “LinkedIn”.

If any of that works in convincing a victim to click on a link, they’re whisked to a fake web page designed to steal the credentials they type in. That gives the hackers access to the victim’s accounts and emails. It also gives them access to victims’ address books, where they can harvest the contact information for yet more targets. Then too, they can delete the phishing email they sent to a victim, thereby erasing their tracks.

Phosphorous hackers have also directed victims to sites where they download malware that the hackers call “Stealer.” That’s what it does: once installed, the malware records keystrokes, takes screenshots of a victim’s computer screen, and steals their credentials for instant-messaging, email and other accounts.

Stealer also digs around in the guts of Windows products, including creating registry key paths bearing a Windows trademark and lying about this adulterated product being a “Process for Windows.”

Into the sinkhole ye go, scurvy Stealer

When Microsoft seized control of the 99 websites, it redirected traffic from infected devices to its Digital Crime Unit’s sinkhole. It will add the intelligence it collects from the sinkhole to what its MSTIC already knows about Phosphorus, and it will be added to its security products and services to beef up detections and customer protection, it said.

Charming Kittens and Fancy Bears and court cases, oh my!

If the case against Charming Kitten/Phosphorous/APT35 rings a bell, it’s because it’s similar to cases that Microsoft has filed against the notorious (and probably Russian) hacking group Strontium, better known to the world as Fancy Bear, or APT28.

It might seem quixotic to presume that you can take out nation-state hacking groups with sheaves of legal documents, but as we’ve noted before, Microsoft has found that it’s actually quite effective.

By March 2017, the company had managed to seize 70 web domains used by Fancy Bear (including one used in the 2016 attacks on the Democratic National Committee).

Have the legally sanctioned domain takedowns slowed these nation-state hacking groups down? Microsoft seems to think so – it refers to the takedown of 99 Phosphorous domains as having a “significant impact” on the group’s infrastructure.

More power to you, Microsoft. Given your deep pockets and will to keep battling in the courts, we hope you can keep taking significant chomps out of this rotten kitten’s operations.