Capping off a busy week of charges and sanctions against Iranian hackers, a new research offers insight into what's a six-year-long ongoing surveillance campaign targeting Iranian expats and dissidents with an intention to pilfer sensitive information.
The threat actor, suspected to be of Iranian origin, is said to have orchestrated the campaign with at least two different moving parts — one for Windows and the other for Android — using a wide arsenal of intrusion tools in the form of info stealers and backdoors designed to steal personal documents, passwords, Telegram messages, and two-factor authentication codes from SMS messages.
Calling the operation "Rampant Kitten," cybersecurity firm Check Point Research said the suite of malware tools had been mainly used against Iranian minorities, anti-regime organizations, and resistance movements such as the Association of Families of Camp Ashraf and Liberty Residents (AFALR), Azerbaijan National Resistance Organization, and citizens of Balochistan.
Windows Info-Stealer Targets KeePass and Telegram
Per Check Point, the infection chain was first traced to a malware-laced Microsoft Word document ("The Regime Fears the Spread of the Revolutionary Cannons.docx"), which, when opened, executes a next-stage payload that checks for the presence of the Telegram app on the Windows system, and if so, drop three additional malicious executables to download auxiliary modules and exfiltrate relevant Telegram Desktop and KeePass files from the victim's computer.
In doing so, the exfiltration allows the attacker to hijack the individual's Telegram account and steal the messages, as well as amass all files with specific extensions to a server under their control.
The research also confirms an advisory from the US Cybersecurity and Infrastructure Security Agency (CISA) earlier this week, which detailed the use of PowerShell scripts by an Iranian cyber actor to access encrypted password credentials stored by the KeePass password management software.
What's more, information from Telegram accounts was stolen using a separate tactic that involved hosted phishing pages impersonating Telegram, including using fake feature update messages to gain unauthorized access to accounts.
Capture Google SMS 2FA Codes
On the other hand, the Android backdoor, which comes equipped with capabilities to record the infected phone's surroundings and retrieve contact details, is installed through an app that masquerades as a service to help Persian-language speakers in Sweden get their driver's license.
Especially, the rogue app is engineered to intercept and transmit all SMS messages that begin with the prefix 'G-' — typically used for Google's SMS-based two-factor authentication (2FA) — to a phone number that it receives from a command-and-control (C2) server, thus allowing the bad actor to capture the victim's Google account credentials using a legitimate Google account login screen and bypass 2FA.
Check Point said it uncovered multiple malware variants dating back to 2014, with some of the versions used simultaneously and featuring significant differences between them.
"We noticed that while some of the variants were used simultaneously, they were written in different programming languages, utilized multiple communication protocols and were not always stealing the same kind of information," the cybersecurity firm noted.
A Surveillance Campaign Targeting Dissidents
Given the nature of targets handpicked for Rampant Kitten, like the Mujahedin-e Khalq (MEK) and the Azerbaijan National Resistance Organization (ANRO), the hackers are likely to be working at the behest of the Iranian government, as has been found in the recent series of indictments unsealed by the US Department of Justice.
"The conflict of ideologies between those movements and the Iranian authorities makes them a natural target for such an attack, as they align with the political targeting of the regime," Check Point said.
"In addition, the backdoor's functionality and the emphasis on stealing sensitive documents and accessing KeePass and Telegram accounts shows that the attackers were interested in collecting intelligence about those victims, and learning more about their activities."