Check Point Research uncovered a cyber espionage campaign linked to an Iranian hacker group targeting expats and dissidents in Iran for almost six years. The surveillance campaign dubbed as “Rampant Kitten” targeted government dissidents including resistance group Mujahedin-e Khalq, the Azerbaijan National Resistance Organization, Iranian minorities, and other anti-regime organizations to exfiltrate sensitive information from their Windows systems, Telegram apps, and SMSes.
“The conflict of ideologies between those movements and the Iranian authorities makes them a natural target for such an attack, as they align with the political targeting of the regime,” Check Point said.
Attack Vectors
- Check Point researchers found four variants of Windows info-stealers intended to steal the victim’s personal documents as well as access to their Telegram Desktop and KeePass account information.
- Android backdoor that extracts two-factor authentication codes from SMS messages and records the phone’s voice surroundings.
- Telegram phishing pages, distributed using fake Telegram service accounts.
Malware Analysis
Hackers used multiple malware payloads to obtain data from the targeted devices including:
Information Stealer: Once uploaded on the victim’s device, this malware allows the attackers to make full usage of the victim’s Telegram account. It steals information from the KeePass application, uploads any file it finds, which ends with pre-defined extensions. It also logs clipboard data and takes desktop screenshots.
Module Downloader: This malware downloads and installs several additional modules.
Unique Persistence: This malware implements a persistence mechanism based on Telegram’s internal update procedure.
“The backdoor’s functionality and the emphasis on stealing sensitive documents and accessing KeePass and Telegram accounts shows that the attackers were interested in collecting intelligence about those victims, and learning more about their activities,” Check Point added.
Attacks via Dharma Ransomware
Recently, Group-IB researchers detected attacks on multiple companies across the globe that are carried out by Iranian newbie threat actors for financial gain. These attacks have been actively orchestrated since at least June 2020. The threat actors are using Dharma ransomware along with a set of other publicly available tools to target companies specifically in Russia, Japan, China, and India. Once compromised, the gang typically demands a ransom between 1-5 Bitcoins (BTC). The threat actors seem to be naïve since they did not have a fixed plan about what to do with the compromised networks.