When the Iranian hacker group APT35 wants to know if one of its digital lures has been bitten, all it has to do is check the Telegram. Each time someone visits one of the copy sites they create, a notification appears in the public messaging service channel describing the IP address, location, device, potential victim’s browser, and more. This is not a push notification; this is a slip notice.
Google’s Threat Analysis Group outlined the new technique as part of a broader look at APT35, also known as Charming Kitten, a state-sponsored group that has been trying to get high-value targets to click on the wrong link for the past few years. to cough increase their powers. And while APT35 isn’t the most successful or complex threat on the international stage – after all, it’s the same group that accidentally ran out of hours of hacked videos – their use of Telegram stands out as an innovative wrinkle that can pay dividends.
The group uses different approaches to try to get people to visit their phishing pages. Google has outlined several scenarios it has seen recently: a compromise on a British university website, a fake VPN app that sneaked into the Google Play Store, and phishing emails in which hackers impersonate real conference organizers and try to capture their bookmarks through malicious PDF files, Dropbox links, websites, and more.
In the case of the university website, hackers direct potential victims to the compromised page, which encourages them to log in with their chosen service provider – everything from Gmail to Facebook to AOL is available – to see a webinar. If you enter your credentials, they go directly to APT35, which also requires your two-factor authentication code. This is such an old technique that has a mustache; APT35 has been running it since 2017 to target people in government, academia, national security and more.
The fake VPN is also not very innovative, and Google says it launched the app from its store before anyone could download it. However, if someone had come across the trick – or installed it on another platform where it is still available – spyware could steal call logs, texts, location data and contacts.
Honestly, APT35s are not too good. Although in recent years they have convincingly presented themselves as employees of the Munich Security Conference and Think-20 Italy, this is also straight from Phishing 101. “This is a very fruitful group with a wide range of goals, but this broad group does not is representative of the level of success that the actor has, “said Ajax Bash, a security engineer at Google TAG. “Their success is actually very low.”