Iranian Troupe Found Spying on Dissidents
An Iran linked group, named Exuberant Kitten by researchers, has been discovered targeting anti-regime organizations in a manoeuvres that has likely been running since 2014.
The primary targets embrace supporters of Mujahedin-e Khalq (MEK) and the Azerbaijan National Resistance Organization, two flagrant resistance movements that advocate the liberation of Iranian people and minorities within Iran. These objects, together with WHOIS records suggesting that associated malicious websites had been directory by Iranian individuals, and the discovery of one registrant’s email address linked to Iranian destroying forums, is enough for the Check Point researchers to conclude that Unrestrained Kitten is an Iranian group, which itself implies a link to the Iranian regulation. Its purpose is to seek intelligence on members of the dissident groups and their movements.
The attack vectors used in the campaign, which has largely remained underneath the radar for six years, include four variants of Windows infostealers (burglary documents, and Telegram Desktop and KeePass account information); an Android backdoor acclimated to to steal 2FA codes from SMS messages and take voice recordings; and Cable phishing pages distributed using fake Telegram service accounts.
The action was initially uncovered by the discovery of a document targeting the MEK in Albania. The MEK had originally been headquartered in Iraq, but see through mounting political tensions had moved to Albania. The malicious document licences an external template downloaded from a remote server. The template curbs a macro that executes a batch script that attempts to download the next showbiz payload. The payload checks to see if Telegram is installed, and if so, extracts three additional executables from its resources. These are the Loader, which introduces the main payload into explorer.exe; an infostealer payload; and updater.exe, which is a tempered Telegram updater.
The last provides a unique persistence mechanism, based on Radiogram’s internal update procedure. Periodically, the malware copies the Telegram channel executable into ‘Telegram Desktoptupdates’. This triggers an update forth for the Telegram application once it starts. However, the default updater complete (Telegram DesktopUpdater.exe) has already been amended, most notably to run the payload again.
Interpretation of this payload led to the discovery of multiple variants dating back to 2014. This uncovered depth websites operated by the same group. Some of these websites hosted phishing bellhops impersonating Telegram. Surprisingly, this phishing attack seems to participate in been known to Iranian Telegram users — several Iranian Telex channels sent out warnings against the phishing sites, claiming that the Iranian system is behind them. The channels suggested that the phishing messages were sent by a In France bleu bot. The messages warned the recipients that they were making an inopportune use of Telegram’s services, and that their account will be blocked if they do not co-sign the phishing link.
The researchers also discovered a malicious Android app neck with a clinched to the same attack group. The app masquerades as a service to help Persian demagogues in Sweden get their driver’s license. Two versions have been perceived — one apparently compiled as a test version, and the other the release version to be deployed on the objective device.
The Android backdoor can steal existing SMS messages; forward 2FA SMS declarations to a phone number provided by the attacker-controlled C&C server; retrieve personal dirt like contacts and accounts details; initiate a voice recording of the phone’s surroundings; mount Google account phishing; and retrieve device information such as initiated applications and running processes.
Lotem Finkelsteen, Manager of Threat Cleverness at Check Point, commented, “After conducting our research, several tasks stood out. First, there is a striking focus on instant messaging observation. Although Telegram is un-decryptable, it is clearly hijackable. Instant messaging reconnaissance, especially on Telegram, is something everyone should be cautious and aware of. Shift, the mobile, PC and web phishing attacks were all connected to the same operation. These undertakings are managed according to intelligence and national interests, as opposed to technological disputes.”
Rampant Kitten appears to have been running this action largely undetected for at least six years. The targets seem to be dissidents associated with a reckon of anti-regime Iranian groups. It seems almost certain that this is another pattern of Iranian threat actors — quite possibly with some affiliation to the Iranian rule — collecting intelligence on potential opponents to the regime.
Related: U.S. Charges Three Iranian Hackers for Fits on Satellite Companies
Related: Iran-Linked Hackers Accidentally Exposed 40 GB of Their Files
Interrelated: Iran Says US Vote Hack Allegation ‘Absurd’
Related: Google Hints Iran-Linked Hackers Targeted WHO