When the Iranian APT35 hacking group wants to know if any of his digital decoys have bitten, he just needs to check Telegram. Whenever someone visits one of the copy sites they have set up, a notification will appear in a public channel on the email service, detailing the IP address, location, device, browser, etc. of the potential victim. That’s not a push notification; it’s a Phishing notification.
Google Threat Analysis Group describe the new technique as part of a larger look at APT35, also known as Charming Kitten, a state-sponsored group that has spent the last few years trying to get high-value targets to click. the wrong link and spit out their credentials. And while APT35 may not be the most successful or sophisticated threat on the international stage, it is the same group, after all, that accidentally Leaked hours of videos of themselves hacking– their use of Telegram stands out as an innovative wrinkle that could pay off.
The group uses a variety of approaches to try to get people to visit their phishing pages in the first place. Google has described a few scenarios it has seen recently: the compromise of a UK university website, a bogus VPN app that briefly crept into the Google Play Store, and phishing emails that hackers claim to be in. organizers of real conferences and try to trick their brands through malicious PDFs, Dropbox links, websites, etc.
In the case of the university’s website, hackers redirect potential victims to the compromised page, which encourages them to connect with the service provider of their choice (everything is offered from Gmail to Facebook to AOL) to watch a webinar. If you enter your credentials, it goes straight to APT35, which also asks for your two-factor authentication code. It’s such an old technique that it has mustaches on it; APT35 has been running it since 2017 to target people in government, academia, national security, etc.
The bogus VPN isn’t particularly innovative either, and Google says it started the app from its store before anyone managed to download it. If someone has fallen for the trap, however, or installs it on another platform where it is still available, the spyware can steal call logs, texts, location data, and contacts.
Frankly, the APT35s aren’t exactly outperformers. While they have convincingly emulated officials from the Munich Security Conference and Think-20 Italy in recent years, that too has come straight out of Phishing 101. from the actor’s level of success, ”says Ajax Bash, security engineer at Google TAG. “Their success rate is actually very low. “
Telegram robot told Iranian pirates when they were hit
Source link Telegram robot told Iranian pirates when they were hit