Charming Kitten is a cybercriminal group believed to be of Iranian origin, which was first seen in 2014, but had been active for years after the initial detection. The group use an intricate web of methods such as spear phishing and impersonation. They even create fake organizations and personas, complete with email and social media accounts.

The group’s targets are mostly individuals in the media, human rights, and academic research fields. Unlike other cyberespionage groups that aim to infiltrate victims’ networks, one of Charming Kitten’s primary objectives is to hack into social and email accounts and gather details about victims.

Clear Sky released a comprehensive report about the group, presenting 240 malicious domain names, 86 IP addresses, and 28 email addresses as indicators of compromise (IoCs). We studied these IoCs in light of recent sightings of the group.

Malicious Domains

Of the malicious domains cited as Charming Kitten IoCs, we gathered 45 domain’s records with our bulk WHOIS lookup tool. Facebook has acquired two domains based on their registrant email—com-video[.]net and login-account[.]net. The Digital Crimes Unit of Microsoft also claimed two other domains—yahoo-verification[.]net and yahoo-verify[.]net. Healthcare Management Solutions also now owns sadashboard[.]com.

Interestingly, other malicious domains still can’t be attributed to the spoofed companies, including the following:

• fb-login[.]cf
• drives-google[.]com
• microsoft-upgrade[.]mobi
• gmal[.]cf
• hot-mail[.]ml

Charming Kitten and other groups could still use domains like these to imitate brands in phishing attacks.

IoCs Not Reported as Malicious

Some domains included in the list of IoCs were not reported as malicious or at least suspicious as of the time of writing despite their involvement in Charming Kitten attacks. The domain britishnews[.]org, for example, was found to redirect to britishnews[.]com[.]co, a made-up news website that hosted a penetration testing tool called “Browser Exploitation Framework (BeEF).” The domain is not tagged “malicious” even if it resolves to a malicious IP address.

The table below shows other domains that are not tagged as malicious and their associated IP addresses revealed by DNS Lookup. The IP addresses were then run on VirusTotal to check if they are malicious.

Since these domains and a couple of IP addresses are not cited as malicious, they could be used successfully in penetration attacks. Reverse IP Lookup also showed that all of them could be shared IP addresses since they have hundreds of connected domains. Implementing an IP-level blacklist for malicious IP addresses may be a good approach for organizations.

IP Addresses

To recall, 86 IP addresses were tagged as Charming Kitten IoCs. The IP addresses in the table above are not among the IoCs mentioned in the Clear Sky report. As such, continuous monitoring of malicious domains is needed to ensure that IP address blacklists stay up to date.

We used IP Geolocation to see the originating countries of the IoCs and found that a majority were from the U.S., followed by the Netherlands, France, the U.K., and Germany. Aside from Iran, these countries are also where certain of the group’s targets were located. In fact, the group was seen impersonating German journalists in July 2020.

Charming Kitten IoCs, like those of other cybercrime groups, may continue to evolve. Some domains and IP addresses would be dropped, while others may be claimed by the legitimate entities they imitate. Still, some IoCs are too effective to let go and so could still be weaponized by Charming Kitten or other groups.

The key takeaway for organizations is that constant monitoring of known IoCs is necessary for utmost protection.