Security researchers from Check Point found ongoing malware campaigns targeting Iran citizens. The campaign reportedly uses socially engineered SMS messages to infect tens of thousands of victims’ devices.
The researchers stated that attackers leveraged specially crafted messages to impersonate officials from the Iranian government to trick victims into downloading malicious Android applications that steal credit card data, personal messages, and two-factor authentication codes. Once attackers get hold of the data, they make unauthorized money withdrawals and turn each infected device into a bot to spread the malware to other devices.
Attackers Used Smishing
The threat actors used the Smishing technique to distribute the malware. In Smishing attacks, fraudsters send a specially crafted message (SMS), provoking the user to click on a malicious URL hidden in the text. Besides, the attackers used multiple Telegram channels to promote and sell their malicious tools.
“For $50-$150, the threat actors provide a full ‘Android Campaign Kit’ including the malicious application and underlying infrastructure, with a control panel that can be easily managed by any unskilled attacker via a simple Telegram bot interface,” the researchers said.
The Android backdoor used in this campaign is capable of:
- SMS stealing
- Hiding to maintain persistence
- Bypass 2FA:
- Botnet Capabilities
- Wormability
Also Read: How to Find a Phishing Email
How the Campaign Works
- The malware distribution begins with a phishing SMS. In many cases, it’s a message from an electronic judicial notification system that notifies the victim that a new complaint has been opened against them. The SMS message contains the link to a web page to follow up on the complaint.
- The webpage lures the user to download a malicious Android application and enter credit card data under the pretense of a small service fee.
- Once installed, the malicious Android application steals all the SMS messages from the infected device, allowing the attackers to use the credit card with access to 2FA SMS sent by credit card companies.
- The malicious application checks the attacker-controlled C&C server for new commands to execute periodically. Most notable is the command to spread additional phishing SMS messages to a list of new phone numbers.
Thefts of Iranian Rials in Billions
Check Point suspects that the campaign has compromised and installed malware on tens of thousands of Android devices, resulting in the theft of billions of Iranian Rials from victims, with estimates of $1,000 to $2,000 per victim.
Alexandra Gofman, Threat Intelligence Team Leader at Check Point Software, said, “The general population of Iran is in a growing situation where cyberattacks significantly impact day-to-day lives. These attacks began with the railways, which we traced to a group called Indra. The attacks continued with gas stations and then the national aviation company. Now, we’re seeing yet another cyberattack that shows how even pure cybercrime can make headlines and chaos, hurting many in Iran. Although we do not see a direct connection between these latest cyberattacks and the aforementioned major attacks, our latest insights show how even unsophisticated cyberattacks significantly damage Iran’s general population. We believe these recent cyberattacks to be financially motivated and a form of pure cybercrime. We suspect the threat actors involved are likely from Iran itself.”
