Researchers at CheckPoint has recently disclosed an ongoing surveillance operation by Iranian entities targeting Iranian Expatriates and protesters for years. Here, the Rampant Kitten hacking group used Android backdoors to extract the 2FA codes from SMS messages and records the phone’s voice surroundings.
Researchers the cybersecurity researchers at Check Point has named this hacking group as a Rampant Kitten, and they also affirmed that this hacking group mostly managed to keep the operations under the radar for at least six years.
Main Targets of Hackers
According to the Checkpoint Report, the hackers mainly targeted the Iranian minorities, anti-regime organizations, and resistance movements like:-
- Association of Families of Camp Ashraf and Liberty Residents (AFALR)
- Azerbaijan National Resistance Organization
- Balochistan people
Tools and Methods Used
Four alternatives of Windows info stealers assigned to steal the victim’s records as well as access to their Telegram Desktop and KeePass account data.
The Android backdoor that extricates two-factor authentication codes from SMS messages designates the phone’s voice surroundings and more.
The Telegram phishing pages are shared utilizing the fake Telegram service accounts.
Apart from this, the experts encountered some unsudden documents with Arabic names, which later they transposed it, and the title was implying to the ongoing conflict between the Iranian regime and the Revolutionary Cannons, a Mujahedin-e Khalq movement.
The document leverages the external template method, enabling it to load a document template from a remote server. However, the experts got curious and started doing some research upon it.
After research, they found some of the tweets from accounts questioning the Iranian regime, suggesting a very related SharePoint site, which the website in the document was plausibly representing.
Here, the experts describe it infection chain; they claimed that once the victim initiates the document, the remote template starts getting downloaded, the ill-disposed macro code in the template executes a batch script which attempts to download and accomplish the next stage of payload.
Main Features of the Malware
|Information Stealer||It uploads relevant Telegram files from the targeted computer, and these files enable the attackers to make full usage of the targeted Telegram account.Steals data from the KeePass application.It also uploads any file it could find, which stops with pre-defined extensions.Logs clipboard data and maintains desktop screenshots.|
|Module Downloader||Downloads and installs various additional modules.|
|Unique Persistence||Perform a persistence mechanism based on Telegram’s internal update method.|
The experts have found another malicious Android application during the investigation, and it was also performed by the same threat actors. This malicious application was hiding as a service to help Persian speakers in Sweden to get their driver’s license.
Features of Android Backdoor:-
- Steal existing SMS messages.
- Forwarding the two-factor authentication SMS messages to a phone number presented by the threat actors-controlled C&C server.
- Recover personal data like contacts and accounts details.
- Start a voice recording of the phone’s surroundings.
- Applying a Google account phishing.
- Recouping all device data like installed apps and running processes.
|Authentication||HelloWorld – Authentication message|
|Module Downloader||DownloadFileSize – Sees whether a module should be downloaded.DownloadFile – Downloads a module from the remote server.|
|Data Exfiltration||UploadFileExist – see whether a particular victim file has been uploaded.UploadFile – Uploads a specific victim file.|
Rather than a backdoor, the security experts also detected another app that was the Telegram Phishing. There are some websites that were related to this malicious activity also hosted phishing pages imitating Telegram.
The threat actors have very well planned this attack, as it is a large-scale operation that has been managed to stay under the radar for at least six years. Here, the threat actors were belonged from Iran and took advantage of several attack vectors to spy on their victims.
You can get the complete Indicators of compromise here.