Iranian Government Hackers Spy On Dissidents

Many countries spy on their populations via mobilr apps and now Check Point Research has uncovered Rampant Kitten, an Iranian hacker group that has monitored and spied on Iran’s government political opponents for years. Rampant Kitten has developed special Android malware capable of intercepting and stealing two-factor authentication (2FA) codes sent via SMS.

The hackers use malware disguised as Android applications via the target’s mobile phone or computer. This malware can focus on any service and it targets Google, Telegram and other major Internet or social services.

The thinking is that Rampant Kitten operators would use the Android Trojan to show a Google phishing page, capture the user's account credentials, and then access the victim's account. Check Point says the group has been active for at least six years and has been engaged in an ongoing surveillance operation against Iranian minorities, anti-regime organisations, and resistance movements. 

The primary targets include supporters of Mujahedin-e Khalq (MEK) and the Azerbaijan National Resistance Organisation, two prominent resistance movements that advocate the liberation of Iranian people and minorities within Iran.

The attackers first use a phishing Trojan to collect login details, and then try those with the real site. If the victim has two-factor authentication turned on, the newly-reported malware intercepts the incoming SMS messages and quietly sends copies to the intruders.

The code also has tools to grab contacts, text message logs and even microphone audio, but it’s unusually centered around two-factor data. It has so far been found in an app pretending to help Persian speakers in Sweden get driver’s licenses, but it might be available in other apps.

The campaign was initially uncovered by the discovery of a document targeting the MEK in Albania. The MEK had originally been headquartered in Iraq, but following mounting political tensions had moved to Albania. The malicious document uses an external template downloaded from a remote server.

Analysis of this payload led to the discovery of multiple variants dating back to 2014. This uncovered further websites, operated by the same group. Some of these websites hosted phishing pages impersonating Telegram.

Surprisingly, this phishing attack seems to have been known to Iranian Telegram users as several Iranian Telegram channels sent out warnings against the phishing sites, claiming that the Iranian regime is behind them. Rampant Kitten appears to have been running this campaign largely undetected for at least six years. The targets seem to be dissidents associated with a number of anti-regime Iranian groups.

It seems almost certain that this is another example of Iranian threat actors, quite possibly with some affiliation to the Iranian regime, collecting intelligence on potential opponents to the regime. 

While it is widely accepted that state-sponsored hacking groups are usually capable of bypassing 2FA, it is very rare that we get an insight into their tools and how they do it.

Check Point Research:      Arab News:     Security Week:      ZDNet:        Engadget

You Might Also Read:

New Iranian Ransomware Groups Detected:

 

 

« Facebook Too Slow At Removing Fake News
Australia Wants Google & Facebook To Pay For News »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Wisegate

Wisegate

Wisegate is a community of IT experts providing advisory services on all areas of IT including security.

OpenSphere

OpenSphere

OpenSphere is an IT company providing security consultancy, information system risk management and security management services.

SECURITYMADEIN.LU

SECURITYMADEIN.LU

SECURITYMADEIN.LU is the main online source for cyber security in Luxembourg providing news, information and a toolbox of cyber security solutions.

Remediant

Remediant

Remediant is the leader in Precision Privileged Access Management. We protect organizations from ransomware and data theft via stolen credentials and lateral movement.

XignSYS

XignSYS

XignSys develops innovative password-free and user-friendly Authentication solutions and electronic signature systems for B2B and B2C applications.

Cyphercor

Cyphercor

Cyphercor is a leading smartphone and desktop-based two-factor authentication (2FA) provider.

Incognito Forensic Foundation Lab (IFF Lab)

Incognito Forensic Foundation Lab (IFF Lab)

IFF Lab is a premier cyber and digital forensics lab in India that offers forensic services and solutions, cyber security analysis and assessment, IT support, training and consultation.

XPO IT Services

XPO IT Services

XPO IT Services are dedicated to providing secure, high quality IT recycling and asset disposal services.

NeuShield

NeuShield

NeuShield is the only anti-ransomware technology that can recover your damaged data from malicious software attacks without a backup.

National CyberWatch Center

National CyberWatch Center

National CyberWatch Center is a cybersecurity consortium working to advance cybersecurity education and strengthen the national workforce.

mxHERO

mxHERO

mxHERO reduces the risks inherent with ransom and cyber-security threats specific to email.

Dope Security

Dope Security

Dope Security is a fly-direct Secure Web Gateway that eliminates the data center stopover architecture required by legacy providers, instead performing security directly on the endpoint.

Campus cyber

Campus cyber

A project initiated by the President of the Republic, the Cyber Campus is the totem site of cybersecurity that brings together the main national and international players in the field.

Digital Intelligence

Digital Intelligence

Digital Intelligence offer a full array of products, forensic and e-discovery consulting services and training.

PolySwarm

PolySwarm

PolySwarm is a crowdsourced threat intelligence marketplace that provides a more effective way to detect, analyze and respond to the latest threats.

Readynez

Readynez

Readynez is the digital skills concierge service that helps you ensure your workforce has the tech skills and resources needed to stay ahead of the digital curve.