overview

Threat researchers with the Insikt Group have identified activity from the Iran-based nexus group GreenCharlie, targeting United States political and government entities with phishing operations, and malware such as GORBLE and POWERSTAR.  

GreenCharlie’s primary goal is to influence voter behavior during election cycles to sow a general sense of discord, which can have broad ranging, negative consequences for domestic economic confidence, however successfully breaching a target will also allow more direct attacks, such as data exfiltration, espionage, and ransomware attacks.  

GreenCharlie relies primarily on registered domains, crafted to lure in targets and trick them into revealing sensitive information or downloading malicious files. While GreenCharlie themselves may have no interest in further exploitation, they may sell access, credentials, or other sensitive information on the dark web to those with financial motivations.  

 

 

how avertium is protecting our customers

 

IOCs ADDED TO OUR THREAT FEEDS

NOTE!: Avertium is actively searching across all monitored environments for the IoC’s listed below. If any are discovered, we will reach out to you directly. If your environment or portions of your environment are not currently being monitored, please reach out to your Service Delivery Manager. 

  • 37.255.251.17 
  • 146.70.95.251 
  • 37.1.194.250 
  • 93.119.48.60 
  • 94.74.145.184 
  • 33a61ff123713da26f45b399a9828e29ad25fbda7e8994c954d714375ef92156 
  • 4ac088bf25d153ec2b9402377695b15a28019dc8087d98bd34e10fed3424125f 
  • c3486133783379e13ed37c45dc6645cbee4c1c6e62e7988722931eef99c8eaf3 
  • 172.86.77.85 
  • 185.241.61.86 
  • 193.111.236.130 
  • 37.148.63.24 
  • 38.180.123.113 
  • 38.180.123.135 
  • 38.180.123.187 
  • 38.180.123.231 
  • 38.180.123.234 
  • 38.180.146.174 
  • 38.180.146.194 
  • 38.180.146.212 
  • 38.180.146.214 
  • 38.180.146.252 
  • 38.180.91.213 
  • 5.106.153.245 
  • 5.106.169.235 
  • 5.106.185.98 
  • 5.106.202.101 
  • 5.106.219.243 
  • 54.39.143.112 
  • 91.232.105.185 
  • 94.74.175.209 
  • activeeditor.info 
  • chatsynctransfer.info 
  • cloudarchive.info 
  • cloudregionpages.info 
  • directfileinternal.info 
  • itemselectionmode.info 
  • messagepending.info 
  • onetimestorage.info 
  • onlinecloudzone.info 
  • personalcloudparent.info 
  • personalwebview.info 
  • pkglessplans.xyz 
  • projectdrivevirtualcloud.co.uk 
  • realcloud.info 
  • researchdocument.info 
  • selfpackage.info 
  • webviewerpage.info 
  • admin.cheap-case.site 
  • api.cheap-case.site 
  • api.overall-continuing.site 
  • app.cheap-case.site 
  • backend.cheap-case.site 
  • callfeedback.duia.ro 
  • cloudtools.duia.eu 
  • coldwarehexahash.dns-dynamic.net 
  • contentpreview.redirectme.net 
  • continue.duia.eu 
  • continueresource.forumz.info 
  • demo.cheap-case.site 
  • destinationzone.duia.eu 
  • dev.cheap-case.site 
  • doceditor.duckdns.org 
  • documentcloudeditor.ddnsgeek.com 
  • dynamicrender.line.pm 
  • dynamictranslator.ddnsgeek.com 
  • editioncloudfiles.dns-dynamic.net 
  • entryconfirmation.duckdns.org 
  • filereader.dns-dynamic.net 
  • finaledition.redirectme.net 
  • highlightsreview.line.pm 
  • hugmefirstddd.ddns.net 
  • icenotebook.ddns.net 
  • joincloud.duckdns.org 
  • joincloud.mypi.co 
  • lineeditor.001www.com 
  • lineeditor.32-b.it 
  • lineeditor.mypi.co 
  • linereview.duia.eu 
  • longlivefreedom.ddns.net 
  • mobiletoolssdk.dns-dynamic.net 
  • nextcloud.duia.us 
  • nextcloudzone.dns-dynamic.net 
  • overflow.duia.eu 
  • preparingdestination.fixip.org 
  • readquickarticle.dns-dynamic.net 
  • realpage.redirectme.net 
  • reviewedition.duia.eu 
  • searchstatistics.duckdns.org 
  • sharestoredocs.theworkpc.com 
  • smartview.dns-dynamic.net 
  • softservicetel.ddns.net 
  • sourceusedirection.mypi.co 
  • storageprovider.duia.eu 
  • streaml23.duia.eu 
  • synctimezone.dns-dynamic.net 
  • termsstatement.duckdns.org 
  • thisismyapp.accesscam.org 
  • thisismydomain.chickenkiller.com 
  • timelinepage.dns-dynamic.net 
  • timezone-update.duckdns.org 
  • towerreseller.dns-dynamic.net 
  • tracedestination.duia.eu 
  • translatorupdater.dns-dynamic.net 
  • uptime-timezone.dns-dynamic.net 
  • uptimezonemetadta.run.place 
  • vector.kozow.com 
  • viewdestination.vpndns.net 
  • worldstate.duia.us 
  • www.chatsynctransfer.info 
  • www.selfpackage.info 

 

TTPs TO MONITOR

  1. Initial Access (T1566)
  • Phishing (T1566.001): Phishing itself falls under the Initial Access tactic, as it is typically used to gain the first foothold into a target system or network. Phishing often involves tricking users into clicking malicious links, downloading malware, or providing sensitive information, such as login credentials. 
  1. Execution (T1204)
  • User Execution (T1204.002): Once the phishing email is opened, users may be tricked into executing malicious attachments or scripts, leading to the execution of malware or other harmful activities on their systems. 
  1. Credential Access (T1110, T1078)
  • Credential Harvesting (T1110): Phishing can be used to gather credentials by luring users to enter their usernames and passwords into fake login pages or other fraudulent sites. 
  • Valid Accounts (T1078): After successfully obtaining credentials, attackers can use these stolen accounts to access systems and move laterally within the target environment. 
  1. Collection (T1114)
  • Email Collection (T1114): Phishing campaigns often target email accounts to collect sensitive information, such as business communications or other valuable data stored in the victim's email. 
  1. Command and Control (T1071)
  • Web Protocols (T1071.001): Phishing can establish command and control (C2) channels, especially when phishing involves malware that communicates with external servers using web-based protocols to receive instructions or exfiltrate data. 
  1. Exfiltration (T1048)
  • Exfiltration Over Web Service (T1048.003): After gaining access, attackers might use the compromised credentials or malware to exfiltrate data through web services, often disguised as normal traffic, to avoid detection. 
  1. Impact (T1486)
  • Data Encrypted for Impact (T1486): Phishing campaigns can also lead to ransomware attacks, where data is encrypted as part of an extortion scheme. 

 

 

ADDITIONAL SERVICE OFFERINGS

  • Fusion MXDR  is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  • Security Information and Event Management (SIEM) - Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 
  • Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
    • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
    • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
    • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).




 

SUPPORTING DOCUMENTATION

GreenCharlie Infrastructure Targeting US Political Entities with Advanced Phishing and Malware 

US Political Campaigns Targeted by Iranian Spear Phishing Attacks 

 

Chat With One of Our Experts




Malware phishing Flash Notice United States Blog