Blog
>
Cyberthreats
4
 Min read

Tracking APT35 (Charming Kitten) Activities in Albania

Published on 
Nov 4, 2024
Tracking APT35 (Charming Kitten) Activities in Albania

Introduction

From October 25 to October 27, we observed malicious activities from a Threat Actor targeting Albania through our Threat Intelligence Platform, Sphere. Our investigation extended to other regions to check for similar indicators but found no related activity in other countries, confirmed through various intelligence tools.

Activity Overview

Sphere is a comprehensive threat intelligence platform with modules dedicated to Threat Intelligence and Identity Management. The following graph highlights the activities detected from this Threat Actor in 2024, pinpointing that this actor was especially active between October 25 and 27. The actor was found exploiting multiple vulnerabilities, demonstrating a relatively noisy operational style during this timeframe.

Figure 1. APT35 activity in Albania

Exploited Vulnerabilities

During this period, the threat actor exploited a range of known vulnerabilities, including:

  • CVE-2024-1561 - Local File Inclusion in Gradio (open-source Python package for building ML web apps)
  • CVE-2024-5975 - SQL Injection in CZ Loan Management WordPress plugin
  • CVE-2024-4577 - OS Command Injection in PHP-CGI
  • CVE-2014-2383 - Information Disclosure in DomPDF (HTML to PDF converter)
  • CVE-2017-5638 - Remote Code Execution in Apache Struts
  • CVE-2018-3238 - Unauthorized Access to Oracle WebCenter Sites
  • CVE-2021-26084 - OGNL Injection in Confluence Server and Data Center
  • CVE-2020-9483 - SQL Injection in Apache Skywalking
  • CVE-2017-9841 - Code Injection in PHPunit
  • CVE-2021-34473 - Proxy Shell, Remote Code Execution in Microsoft Exchange Server
  • CVE-2022-1388 - Missing Authentication in F5 BIG-IP

Command & Control (C2) Server

Further investigation on our platform revealed that the IP address used by the attacker was linked to a Command & Control (C2) server traced back to August 2024. The actor employed the Mythic C2 framework, a red-teaming platform built in Golang and equipped for post-exploitation tasks, aligning with several of the vulnerabilities exploited.

Other Activities

Our continued monitoring identified additional suspicious activities, including:

1. A phishing/spear-phishing campaign themed around discounted travel, aiming to lure users into downloading a malicious archive file. While no password was included on the website, it’s likely this would be distributed via email.

2. A campaign likely designed to harvest credentials from Cisco ASA WebVPN users.

Attribution

Initially, the observed tactics, techniques, and procedures (TTPs) did not strongly align with known threat actors. However, extensive reconnaissance, including domain registration checks associated with the attacker’s IP, linked this activity to APT35 (Charming Kitten). This group, recognized for its opportunistic yet persistent attacks, has been involved in cyber operations largely associated with Iranian interests.

Background on APT35 (Charming Kitten)

APT35, also known as Charming Kitten or Phosphorus, is an Iranian government-sponsored group recognized for cyber-warfare operations. Although their tactics may appear unsophisticated, APT35 is known for persistence, especially in targeting government entities and critical infrastructure in regions such as the Middle East and Europe. Albania has previously been a target of similar attacks, indicating strategic intentions that go beyond simple data theft.

Iranian-linked cyber operations, including those by APT35, often combine espionage with influence tactics. These operations typically focus on:

- Disrupting governmental and infrastructure sectors to create instability.
- Conducting information operations, leveraging compromised sites to spread disinformation.
- Exploiting common CMS vulnerabilities to gain initial access.

These tactics underscore the need for enhanced cyber defense mechanisms to counteract persistent threats from nation-state actors. Albania, in particular, remains a key focus for such Iranian cyber-warfare activities.

IoC

85[.]114[.]138[.]96

168[.]100[.]8[.]190

168[.]100[.]10[.]216

proxy[.]0pzmon0zog[.]xyz

de6f366c120d2aabeacfb66e01e7eba68a5b094672a4412dbe9fd5259c093b83

By clicking "Accept" you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.