Android Backdoor

Researchers at CheckPoint has recently disclosed an ongoing surveillance operation by Iranian entities targeting Iranian Expatriates and protesters for years. Here, the Rampant Kitten hacking group used Android backdoors to extract the 2FA codes from SMS messages and records the phone’s voice surroundings.

Researchers the cybersecurity researchers at Check Point has named this hacking group as a Rampant Kitten, and they also affirmed that this hacking group mostly managed to keep the operations under the radar for at least six years.

Main Targets of Hackers

According to the Checkpoint Report, the hackers mainly targeted the Iranian minorities, anti-regime organizations, and resistance movements like:-

  • Association of Families of Camp Ashraf and Liberty Residents (AFALR)
  • Azerbaijan National Resistance Organization
  • Balochistan people

Tools and Methods Used

Four alternatives of Windows info stealers assigned to steal the victim’s records as well as access to their Telegram Desktop and KeePass account data.

The Android backdoor that extricates two-factor authentication codes from SMS messages designates the phone’s voice surroundings and more.

The Telegram phishing pages are shared utilizing the fake Telegram service accounts.

Apart from this, the experts encountered some unsudden documents with Arabic names, which later they transposed it, and the title was implying to the ongoing conflict between the Iranian regime and the Revolutionary Cannons, a Mujahedin-e Khalq movement. 

The document leverages the external template method, enabling it to load a document template from a remote server. However, the experts got curious and started doing some research upon it. 

After research, they found some of the tweets from accounts questioning the Iranian regime, suggesting a very related SharePoint site, which the website in the document was plausibly representing.

Android Backdoor

Here, the experts describe it infection chain; they claimed that once the victim initiates the document, the remote template starts getting downloaded, the ill-disposed macro code in the template executes a batch script which attempts to download and accomplish the next stage of payload.

Android Backdoor

Main Features of the Malware

Information StealerIt uploads relevant Telegram files from the targeted computer, and these files enable the attackers to make full usage of the targeted Telegram account.Steals data from the KeePass application.It also uploads any file it could find, which stops with pre-defined extensions.Logs clipboard data and maintains desktop screenshots.
Module DownloaderDownloads and installs various additional modules.
Unique PersistencePerform a persistence mechanism based on Telegram’s internal update method.

Android Backdoor

The experts have found another malicious Android application during the investigation, and it was also performed by the same threat actors. This malicious application was hiding as a service to help Persian speakers in Sweden to get their driver’s license.

Features of Android Backdoor:-

  • Steal existing SMS messages.
  • Forwarding the two-factor authentication SMS messages to a phone number presented by the threat actors-controlled C&C server.
  • Recover personal data like contacts and accounts details.
  • Start a voice recording of the phone’s surroundings.
  • Applying a Google account phishing.
  • Recouping all device data like installed apps and running processes.

Commands categories

AuthenticationHelloWorld – Authentication message
Module DownloaderDownloadFileSize – Sees whether a module should be downloaded.DownloadFile – Downloads a module from the remote server.
Data ExfiltrationUploadFileExist – see whether a particular victim file has been uploaded.UploadFile – Uploads a specific victim file.

Telegram Phishing

Rather than a backdoor, the security experts also detected another app that was the Telegram Phishing. There are some websites that were related to this malicious activity also hosted phishing pages imitating Telegram.

The threat actors have very well planned this attack, as it is a large-scale operation that has been managed to stay under the radar for at least six years. Here, the threat actors were belonged from Iran and took advantage of several attack vectors to spy on their victims.

You can get the complete Indicators of compromise here.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read:

U.S Charges Two Iranian Hackers for Attacking Computer Systems in the United States, Europe & Middle East

US Charges Five Hackers from Chinese APT41 Hacker Group for Hacking More than 100 Firms Globally

Hidden Cobra APT Hackers Attack Japanese Organisations Via Obfuscation Malware & Remote SMB Tool

Iranian Charming Kitten APT Hackers Deploying Malware via WhatsApp Messages

Chinese APT Hackers Attack India & Hong Kong Using a New Malware to Steal Sensitive Data Remotely

APT Hackers Group Carefully Deploy Evilnum Malware Toolkit on Financial Sectors via Google Drive

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.