Iranian Government Hackers Spy On Dissidents

Many countries spy on their populations via mobilr apps and now Check Point Research has uncovered Rampant Kitten, an Iranian hacker group that has monitored and spied on Iran’s government political opponents for years. Rampant Kitten has developed special Android malware capable of intercepting and stealing two-factor authentication (2FA) codes sent via SMS.

The hackers use malware disguised as Android applications via the target’s mobile phone or computer. This malware can focus on any service and it targets Google, Telegram and other major Internet or social services.

The thinking is that Rampant Kitten operators would use the Android Trojan to show a Google phishing page, capture the user's account credentials, and then access the victim's account. Check Point says the group has been active for at least six years and has been engaged in an ongoing surveillance operation against Iranian minorities, anti-regime organisations, and resistance movements. 

The primary targets include supporters of Mujahedin-e Khalq (MEK) and the Azerbaijan National Resistance Organisation, two prominent resistance movements that advocate the liberation of Iranian people and minorities within Iran.

The attackers first use a phishing Trojan to collect login details, and then try those with the real site. If the victim has two-factor authentication turned on, the newly-reported malware intercepts the incoming SMS messages and quietly sends copies to the intruders.

The code also has tools to grab contacts, text message logs and even microphone audio, but it’s unusually centered around two-factor data. It has so far been found in an app pretending to help Persian speakers in Sweden get driver’s licenses, but it might be available in other apps.

The campaign was initially uncovered by the discovery of a document targeting the MEK in Albania. The MEK had originally been headquartered in Iraq, but following mounting political tensions had moved to Albania. The malicious document uses an external template downloaded from a remote server.

Analysis of this payload led to the discovery of multiple variants dating back to 2014. This uncovered further websites, operated by the same group. Some of these websites hosted phishing pages impersonating Telegram.

Surprisingly, this phishing attack seems to have been known to Iranian Telegram users as several Iranian Telegram channels sent out warnings against the phishing sites, claiming that the Iranian regime is behind them. Rampant Kitten appears to have been running this campaign largely undetected for at least six years. The targets seem to be dissidents associated with a number of anti-regime Iranian groups.

It seems almost certain that this is another example of Iranian threat actors, quite possibly with some affiliation to the Iranian regime, collecting intelligence on potential opponents to the regime. 

While it is widely accepted that state-sponsored hacking groups are usually capable of bypassing 2FA, it is very rare that we get an insight into their tools and how they do it.

Check Point Research:      Arab News:     Security Week:      ZDNet:        Engadget

You Might Also Read:

New Iranian Ransomware Groups Detected:

 

 

« Facebook Too Slow At Removing Fake News
Australia Wants Google & Facebook To Pay For News »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Conscio Technologies

Conscio Technologies

Conscio Technologies is a specialist in IT security awareness. Our solutions allow you to easily manage innovative online IT awareness campaigns.

MIIS Cyber Initiative

MIIS Cyber Initiative

The Cyber Initiative's mission is to assess the impact of the information age on security, peace and communications.

IPVanish

IPVanish

IPVanish has its roots in over 15 years of network management, IP services, and content delivery services. Now we're bringing these finely honed skills to VPN.

GovCERT.CZ

GovCERT.CZ

Government Computer Emergency Response Team of the Czech Republic.

Kasin Consulting

Kasin Consulting

Kasin Consulting is a management consulting company combining a deep understanding of the cyber domain with C-suite level business understanding.

Clavister

Clavister

Clavister is a network security vendor delivering a full range of network security solutions for both physical and virtualized environments.

Equilibrium Security Services

Equilibrium Security Services

Equilibrium Security Services is a specialist cyber security company providing a full spectrum of IT security solutions from consultancy to design & implementation and managed security services.

Watchcom Security Group

Watchcom Security Group

Watchcom is one of Norway's foremost suppliers of information security consultancy services.

Canadian Security Intelligence Service (CSIS)

Canadian Security Intelligence Service (CSIS)

CSIS collects and analyzes threat-related information concerning the security of Canada in areas including terrorism, espionage, WMD, cybersecurity and critical infrastructure protection.

Protiviti

Protiviti

Protiviti consulting solutions span critical business problems in technology, business process, analytics, risk, compliance, transactions and internal audit.

Approach

Approach

Approach is a leading provider of cyber security consulting and secure application development services in Belgium.

Farsight Security

Farsight Security

Farsight Security provides the world’s largest real-time actionable threat intelligence on how the Internet is changing.

Maven Technologies

Maven Technologies

Maven Technologies specialize in secure data destruction, electronics recycling, asset management, and highly detailed reporting.

Data Theorem

Data Theorem

Data Theorem is a leading provider in modern application security. Its core mission is to analyze and secure any modern application anytime, anywhere.

Yoti

Yoti

Yoti offer a suite of business solutions that span identity verification, age estimation, e-signing and AI anti-spoofing technologies.

ThreatLocker

ThreatLocker

The ThreatLocker Platform provides a Zero Trust security solution that offers a unified approach to protecting users, devices, and networks against the exploitation of zero day vulnerabilities.