Iranian Government Hackers Spy On Dissidents

Many countries spy on their populations via mobilr apps and now Check Point Research has uncovered Rampant Kitten, an Iranian hacker group that has monitored and spied on Iran’s government political opponents for years. Rampant Kitten has developed special Android malware capable of intercepting and stealing two-factor authentication (2FA) codes sent via SMS.

The hackers use malware disguised as Android applications via the target’s mobile phone or computer. This malware can focus on any service and it targets Google, Telegram and other major Internet or social services.

The thinking is that Rampant Kitten operators would use the Android Trojan to show a Google phishing page, capture the user's account credentials, and then access the victim's account. Check Point says the group has been active for at least six years and has been engaged in an ongoing surveillance operation against Iranian minorities, anti-regime organisations, and resistance movements. 

The primary targets include supporters of Mujahedin-e Khalq (MEK) and the Azerbaijan National Resistance Organisation, two prominent resistance movements that advocate the liberation of Iranian people and minorities within Iran.

The attackers first use a phishing Trojan to collect login details, and then try those with the real site. If the victim has two-factor authentication turned on, the newly-reported malware intercepts the incoming SMS messages and quietly sends copies to the intruders.

The code also has tools to grab contacts, text message logs and even microphone audio, but it’s unusually centered around two-factor data. It has so far been found in an app pretending to help Persian speakers in Sweden get driver’s licenses, but it might be available in other apps.

The campaign was initially uncovered by the discovery of a document targeting the MEK in Albania. The MEK had originally been headquartered in Iraq, but following mounting political tensions had moved to Albania. The malicious document uses an external template downloaded from a remote server.

Analysis of this payload led to the discovery of multiple variants dating back to 2014. This uncovered further websites, operated by the same group. Some of these websites hosted phishing pages impersonating Telegram.

Surprisingly, this phishing attack seems to have been known to Iranian Telegram users as several Iranian Telegram channels sent out warnings against the phishing sites, claiming that the Iranian regime is behind them. Rampant Kitten appears to have been running this campaign largely undetected for at least six years. The targets seem to be dissidents associated with a number of anti-regime Iranian groups.

It seems almost certain that this is another example of Iranian threat actors, quite possibly with some affiliation to the Iranian regime, collecting intelligence on potential opponents to the regime. 

While it is widely accepted that state-sponsored hacking groups are usually capable of bypassing 2FA, it is very rare that we get an insight into their tools and how they do it.

Check Point Research:      Arab News:     Security Week:      ZDNet:        Engadget

You Might Also Read:

New Iranian Ransomware Groups Detected:

 

 

« Facebook Too Slow At Removing Fake News
Australia Wants Google & Facebook To Pay For News »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Foundation for Strategic Research (FRS)

Foundation for Strategic Research (FRS)

The Foundation for Strategic Research is France's main independent think tank on strategic, defense and security issues. Cyber security is covered as part of the study areas.

Grid32

Grid32

Grid32 provides independent computer system and physical security audit services to government and corporate clients of all sizes.

Corero Network Security

Corero Network Security

Corero Network Security is dedicated to improving the security of the Internet through the deployment of its innovative DDoS & Network Security Solutions.

RPC

RPC

RPC is a business law firm. Practice areas include technology and cyber risk.

Nethemba

Nethemba

Nethemba provide pentesting and security audits for networks and web applications. Other services include digital forensics, training and consultancy.

Total Defense

Total Defense

Total Defense solutions include anti-malware, anti-virus, intrusion prevention & mobile security.

MACH37

MACH37

MACH37 is a market-centric cybersecurity accelerator program designed to facilitate the creation of the next generation of cybersecurity product companies.

adaware

adaware

adaware is an award-winning security and privacy software provider, empowering users to connect with confidence.

AVeS Cyber Security

AVeS Cyber Security

AVeS combines expert knowledge and services with leading technology products to provide comprehensive Information Security and Advanced IT Infrastructure solutions.

Infosec Global

Infosec Global

Infosec Global provides technology innovation, thought leadership and expertise in cryptographic life-cycle management.

Quantinuum

Quantinuum

Quantinuum is the combination of Cambridge Quantum with Honeywell Quantum Solutions, structured to drive the future of quantum computing.

Eureka Security

Eureka Security

Eureka help organizations securely use any cloud data storage technology they need without having to compromise on security.

Cloudsec Asia

Cloudsec Asia

Cloudsec Asia is Thailand's top-ranked cybersecurity consultant company. We offers security services to ensure that all your IT assets are reliable, accessible, and secure.

GoTo

GoTo

At GoTo we help people and businesses to connect and collaborate simply and securely – from anywhere. We’re the trusted partner for companies of all sizes.

Triovega

Triovega

Triovega are a leading provider for production security and efficiency. Our solutions enhance OT security, and reduce production downtime.

Modat

Modat

Modat is an AI-powered, research-driven company focused on developing products and services that enable cybersecurity professionals to outpace adversaries.