Iranian hackers target Middle East policy experts with new BASICSTAR backdoor

New BASICSTAR Backdoor

The Iranian-origin threat actor known as Charming Kitten has been linked to a new series of attacks targeting Middle Eastern policy experts with a new backdoor called BASICSTAR by creating a fake webinar portal.

Charming Kitten, also known as APT35, CharmingCypress, Mint Sandstorm, TA453, and Yellow Garuda, has a history of orchestrating a wide range of social engineering campaigns that cast broad targets, often singling out think tanks, NGOs, and journalists.

“CharmingCypress often uses unusual social engineering tactics, such as engaging targets in lengthy email conversations before sending links to malicious content,” said Volexity researchers Ankur Saini, Callum Roxan, Charlie Gardner and Damien Cash. said.

Last month, Microsoft revealed that high-profile individuals involved in business in the Middle East are being targeted by its adversary to deploy malware such as MischiefTut and MediaPl (also known as EYEGLASS) capable of collecting sensitive information from a compromised host .


The group, believed to have ties to Iran’s Islamic Revolutionary Guards Corps (IRGC), has also spread several other backdoors over the past year, such as PowerLess, BellaCiao, POWERSTAR (aka GorjolEcho), and NokNok, highlighting on its determination to continue its cyber attack. , adapting tactics and methods despite public exposure.

The phishing attacks observed between September and October 2023 involved the Charming Kitten operators posing as the Rasanah International Institute for Iranian Studies (IIIS) to initiate and build trust with targets.

The phishing attempts are also characterized by the use of compromised email accounts of legitimate contacts and multiple email accounts controlled by threat actors, the latter of which is called Multi-Persona Impersonation (MPI).

New BASICSTAR rear door

The attack chains typically use RAR archives containing LNK files as a starting point to distribute malware, with the messages encouraging potential targets to participate in a fake webinar on topics of interest to them. Such a multi-phase infection sequence has been observed to implement BASICSTAR and KORKULOADER, a PowerShell downloader script.

BASICSTAR, a Visual Basic Script (VBS) malware, can collect basic system information, remotely execute commands passed from a command-and-control (C2) server, and download and display a decoy PDF file.

Furthermore, some of these phishing attacks are designed to operate different backdoors depending on the machine’s operating system. While Windows victims are compromised with POWERLESS, Apple macOS victims are targeted by an infection chain that culminates in NokNok via a functional VPN application laced with malware.

“This threat actor is deeply committed to conducting surveillance on its targets to determine how best to manipulate them and deploy malware,” the researchers said. “Furthermore, few other threat actors have consistently launched as many campaigns as CharmingCypress, with human operators supporting their ongoing efforts.”


The revelation comes as Recorded Future exposed the IRGC’s attacks on Western countries using a network of contracting companies that also specialize in exporting technologies for surveillance and offensive purposes to countries such as Iraq, Syria and Lebanon.

The relationship between intelligence and military organizations and Iran-based contractors takes the form of various cyber centers that act as “firewalls” to hide the sponsoring entity.

They include Ayandeh Sazan Sepher Aria (believed to be associated with Emennet Pasargad), DSP Research Institute, Sabrin Kish, Soroush Saman, Mahak Rayan Afraz and the Parnian Telecommunication and Electronic Company.

“Iranian contracting companies are founded and run by a tight network of personas, who in some cases represent the contractors as board members,” the company says. said. “The individuals are closely associated with the IRGC, and in some cases are even representatives of sanctioned entities (such as the IRGC Cooperative Foundation).”

#Iranian #hackers #target #Middle #East #policy #experts #BASICSTAR #backdoor

Notify of
Inline Feedbacks
View all comments
Previous Post
Roundcube Flaws

Russia-linked hackers breached more than 80 organizations via Roundcube flaws

Next Post
Zeus and IcedID Malware

FBI’s Most Wanted Zeus and IcedID Malware Mastermind Pleads Guilty

Related Posts