BASICSTAR Backdoor Used By Iranian Threat Actor
The Iranian-linked threat actor known as Charming Kitten, also referred to as APT35, CharmingCypress, Mint Sandstorm, TA453, and Yellow Garuda, has been identified in a recent series of attacks targeting Middle East policy experts. These attacks involve the use of a new backdoor named BASICSTAR, which is deployed through a fake webinar portal.
Charming Kitten has a history of conducting diverse social engineering campaigns, with a particular focus on think tanks, NGOs, and journalists. Their tactics include engaging targets in prolonged email conversations before sending malicious content links, as noted by Volexity researchers Ankur Saini, Callum Roxan, Charlie Gardner, and Damien Cash.
Microsoft reported that high-profile individuals involved in Middle Eastern affairs were targeted by Charming Kitten to distribute malware such as MischiefTut and MediaPl (aka EYEGLASS), capable of extracting sensitive information. The threat actor, believed to be associated with Iran's Islamic Revolutionary Guard Corps (IRGC), has also disseminated various other backdoors like PowerLess, BellaCiao, POWERSTAR (aka GorjolEcho), and NokNok over the past year, demonstrating a persistent commitment to cyber attacks while adapting tactics despite public exposure.
BASICSTAR Deployed as Part of Long-Term Infiltration
Phishing attacks observed between September and October 2023 involved Charming Kitten posing as the Rasanah International Institute for Iranian Studies (IIIS) to build trust with targets. The attacks feature the use of compromised email accounts and a technique called Multi-Persona Impersonation (MPI), where multiple threat-actor-controlled email accounts are utilized.
The attack chains commonly utilize RAR archives containing LNK files to distribute malware. Prospective targets are encouraged to join a fake webinar on topics of interest, leading to a multi-stage infection sequence deploying BASICSTAR and KORKULOADER, a PowerShell downloader script.
BASICSTAR, a Visual Basic Script (VBS) malware, can gather basic system information, execute commands from a command-and-control (C2) server, and download/display decoy PDF files. Additionally, some attacks tailor the backdoor depending on the operating system, compromising Windows victims with POWERLESS and Apple macOS victims through an infection chain culminating in NokNok via a VPN application laced with malware.