Threats Feed|GreenCharlie|Last Updated 02/10/2024|AuthorCertfa Radar|Publish Date20/08/2024

GreenCharlie Targets US Political Campaigns with Advanced Malware and Phishing

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Malware,Phishing
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

Iranian APT group GreenCharlie, linked to Mint Sandstorm and APT42, has been targeting US political campaigns and affiliates since May 2024 through advanced spearphishing and malware operations. The group leverages dynamic DNS domains, VPNs, and compromised infrastructure to conduct espionage activities. Malware variants such as GORBLE, POWERSTAR, and TAMECAT were deployed, showing significant code overlap. GreenCharlie’s infrastructure, associated with Iran-based IPs, supports its campaigns against high-value targets, including research analysts, diplomats, and government officials. The group likely operates under the Islamic Revolutionary Guard Corps (IRGC).

Reference and Credit: Recorded Future - August 2024

GreenCharlie Infrastructure Targeting US Political Entities with Advanced Phishing and Malware

Detected Targets

TypeDescriptionConfidence
SectorGovernment Agencies and Services
Verified
SectorPolitical
Verified
RegionUnited States
Verified

Extracted IOCs

  • activeeditor[.]info
  • chatsynctransfer[.]info
  • cloudarchive[.]info
  • cloudregionpages[.]info
  • directfileinternal[.]info
  • itemselectionmode[.]info
  • messagepending[.]info
  • onetimestorage[.]info
  • onlinecloudzone[.]info
  • personalcloudparent[.]info
  • personalwebview[.]info
  • pkglessplans[.]xyz
  • projectdrivevirtualcloud.co[.]uk
  • realcloud[.]info
  • researchdocument[.]info
  • selfpackage[.]info
  • webviewerpage[.]info
  • admin.cheap-case[.]site
  • api.cheap-case[.]site
  • api.overall-continuing[.]site
  • app.cheap-case[.]site
  • backend.cheap-case[.]site
  • callfeedback.duia[.]ro
  • cloudtools.duia[.]eu
  • coldwarehexahash.dns-dynamic[.]net
  • configtools.linkpc[.]net
  • contentpreview.redirectme[.]net
  • continue.duia[.]eu
  • continueresource.forumz[.]info
  • demo.cheap-case[.]site
  • destinationzone.duia[.]eu
  • dev.cheap-case[.]site
  • doceditor.duckdns[.]org
  • documentcloudeditor.ddnsgeek[.]com
  • dynamicrender.line[.]pm
  • dynamictranslator.ddnsgeek[.]com
  • editioncloudfiles.dns-dynamic[.]net
  • entryconfirmation.duckdns[.]org
  • fileeditiontools.linkpc[.]net
  • filereader.dns-dynamic[.]net
  • finaledition.redirectme[.]net
  • highlightsreview.line[.]pm
  • hugmefirstddd.ddns[.]net
  • icenotebook.ddns[.]net
  • joincloud.duckdns[.]org
  • joincloud.mypi[.]co
  • lineeditor.001www[.]com
  • lineeditor.32-b[.]it
  • lineeditor.mypi[.]co
  • linereview.duia[.]eu
  • longlivefreedom.ddns[.]net
  • mobiletoolssdk.dns-dynamic[.]net
  • nextcloud.duia[.]us
  • nextcloudzone.dns-dynamic[.]net
  • overflow.duia[.]eu
  • pagerendercloud.linkpc[.]net
  • pageviewer.linkpc[.]net
  • personalstoragebox.linkpc[.]net
  • preparingdestination.fixip[.]org
  • readquickarticle.dns-dynamic[.]net
  • realpage.redirectme[.]net
  • reviewedition.duia[.]eu
  • searchstatistics.duckdns[.]org
  • sharestoredocs.theworkpc[.]com
  • smartview.dns-dynamic[.]net
  • softservicetel.ddns[.]net
  • sourceusedirection.mypi[.]co
  • splitviewer.linkpc[.]net
  • storageprovider.duia[.]eu
  • streaml23.duia[.]eu
  • synctimezone.dns-dynamic[.]net
  • termsstatement.duckdns[.]org
  • thisismyapp.accesscam[.]org
  • thisismydomain.chickenkiller[.]com
  • timelinepage.dns-dynamic[.]net
  • timezone-update.duckdns[.]org
  • towerreseller.dns-dynamic[.]net
  • tracedestination.duia[.]eu
  • translatorupdater.dns-dynamic[.]net
  • uptime-timezone.dns-dynamic[.]net
  • uptimezonemetadta.run[.]place
  • vector.kozow[.]com
  • viewdestination.vpndns[.]net
  • worldstate.duia[.]us
  • www.chatsynctransfer[.]info
  • www.selfpackage[.]info
  • 33a61ff123713da26f45b399a9828e29ad25fbda7e8994c954d714375ef92156
  • 4ac088bf25d153ec2b9402377695b15a28019dc8087d98bd34e10fed3424125f
  • c3486133783379e13ed37c45dc6645cbee4c1c6e62e7988722931eef99c8eaf3
  • 146[.]70.95.251
  • 172[.]86.77.85
  • 185[.]143.233.120
  • 185[.]241.61.86
  • 193[.]111.236.130
  • 37[.]1.194.250
  • 37[.]148.63.24
  • 37[.]255.251.17
  • 38[.]180.123.113
  • 38[.]180.123.135
  • 38[.]180.123.187
  • 38[.]180.123.231
  • 38[.]180.123.234
  • 38[.]180.146.174
  • 38[.]180.146.194
  • 38[.]180.146.212
  • 38[.]180.146.214
  • 38[.]180.146.252
  • 38[.]180.91.213
  • 5[.]106.153.245
  • 5[.]106.169.235
  • 5[.]106.185.98
  • 5[.]106.202.101
  • 5[.]106.219.243
  • 54[.]39.143.112
  • 91[.]232.105.185
  • 93[.]119.48.60
  • 94[.]74.145.184
  • 94[.]74.175.209
download

Tip: 118 related IOCs (29 IP, 86 domain, 0 URL, 0 email, 3 file hash) to this threat have been found.

Overlaps

APT42APT42 Targets Israeli and U.S. High-Profile Sectors with Sophisticated Phishing Campaigns

Source: Google - August 2024

Detection (three cases): 33a61ff123713da26f45b399a9828e29ad25fbda7e8994c954d714375ef92156, 4ac088bf25d153ec2b9402377695b15a28019dc8087d98bd34e10fed3424125f, c3486133783379e13ed37c45dc6645cbee4c1c6e62e7988722931eef99c8eaf3

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
GreenCharlie
View GreenCharlie's Insights