Iranian Government Hackers Spy On Dissidents

Uploaded on 2020-10-09 in INTELLIGENCE-Hot Spots-Iran, GOVERNMENT-National, FREE TO VIEW, TECHNOLOGY--Hackers

Many countries spy on their populations via mobilr apps and now Check Point Research has uncovered Rampant Kitten, an Iranian hacker group that has monitored and spied on Iran’s government political opponents for years. Rampant Kitten has developed special Android malware capable of intercepting and stealing two-factor authentication (2FA) codes sent via SMS.

The hackers use malware disguised as Android applications via the target’s mobile phone or computer. This malware can focus on any service and it targets Google, Telegram and other major Internet or social services.

The thinking is that Rampant Kitten operators would use the Android Trojan to show a Google phishing page, capture the user's account credentials, and then access the victim's account. Check Point says the group has been active for at least six years and has been engaged in an ongoing surveillance operation against Iranian minorities, anti-regime organisations, and resistance movements. 

The primary targets include supporters of Mujahedin-e Khalq (MEK) and the Azerbaijan National Resistance Organisation, two prominent resistance movements that advocate the liberation of Iranian people and minorities within Iran.

The attackers first use a phishing Trojan to collect login details, and then try those with the real site. If the victim has two-factor authentication turned on, the newly-reported malware intercepts the incoming SMS messages and quietly sends copies to the intruders.

The code also has tools to grab contacts, text message logs and even microphone audio, but it’s unusually centered around two-factor data. It has so far been found in an app pretending to help Persian speakers in Sweden get driver’s licenses, but it might be available in other apps.

The campaign was initially uncovered by the discovery of a document targeting the MEK in Albania. The MEK had originally been headquartered in Iraq, but following mounting political tensions had moved to Albania. The malicious document uses an external template downloaded from a remote server.

Analysis of this payload led to the discovery of multiple variants dating back to 2014. This uncovered further websites, operated by the same group. Some of these websites hosted phishing pages impersonating Telegram.

Surprisingly, this phishing attack seems to have been known to Iranian Telegram users as several Iranian Telegram channels sent out warnings against the phishing sites, claiming that the Iranian regime is behind them. Rampant Kitten appears to have been running this campaign largely undetected for at least six years. The targets seem to be dissidents associated with a number of anti-regime Iranian groups.

It seems almost certain that this is another example of Iranian threat actors, quite possibly with some affiliation to the Iranian regime, collecting intelligence on potential opponents to the regime. 

While it is widely accepted that state-sponsored hacking groups are usually capable of bypassing 2FA, it is very rare that we get an insight into their tools and how they do it.

Check Point Research:      Arab News:     Security Week:      ZDNet:        Engadget

You Might Also Read:

New Iranian Ransomware Groups Detected:

 

 

« Facebook Too Slow At Removing Fake News
Australia Wants Google & Facebook To Pay For News »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

StratoKey

StratoKey

StratoKey is an intelligent Cloud Access Security Broker (CASB) that secures your cloud and SaaS applications against data breaches, so you can do secure and compliant business in the cloud.

Insta Group

Insta Group

Insta are a trusted cyber security partner for security-critical companies and organizations.

Israel Aerospace Industries (IAI)

Israel Aerospace Industries (IAI)

IAI offers a holistic approach that provides defense forces, governments, critical infrastructures and large enterprises with end-to-end cyber security & monitoring tools.

RedShield Security

RedShield Security

RedShield is the world's first web application shielding-with-a-service company.

Telelogos

Telelogos

Telelogos is a European provider of Enterprise Mobility Management software, Digital Signage software and Data Transfer and Synchronization software.

Healthcare Fraud Shield (HCFS)

Healthcare Fraud Shield (HCFS)

The focus of Healthcare Fraud Shield is solely on healthcare fraud prevention and payment integrity with a successful approach based on many unique advantages we deliver to our clients.

Zero Networks

Zero Networks

With Zero Network, you can achieve affordable, airtight network access security at scale.

Qmulos

Qmulos

Qmulos’ real-time continuous monitoring risk management suite, Q-Compliance, provides a massively flexible and scalable solution to optimizing operational security.

Kasada

Kasada

Kasada has developed a radical approach to defeating automated cyberthreats based on its unmatched understanding of the human minds behind them.

Defscope

Defscope

Defscope is an Azerbaijani company entirely focused on cybersecurity offering training, security consulting, and other professional services.

Ankura Consulting Group

Ankura Consulting Group

Ankura is a global expert services and advisory firm that delivers services and end-to-end solutions in a wide range of areas including cybersecurity and digital transformation.

Softwerx

Softwerx

Softwerx is the UK’s leading Microsoft cloud security practice. We’ve been helping forward-thinking companies better secure their businesses for nearly twenty years.

Avocado Consulting

Avocado Consulting

Avocado helps clients deliver with certainty on their complex IT change, with technology services that automate, monitor and optimise.

BitLyft

BitLyft

BitLyft is a managed detection and response provider that is dedicated to delivering unparalleled protection from cyber attacks for organizations of all sizes.

Threat Con

Threat Con

Threat Con is a one of its kind event in Nepal, a series of annual international security conventions similar to the famous Black Hat and DEF CON conferences.

Novem CS

Novem CS

Novem CS are bespoke cyber security specialists providing a highly effective and specialised approach to solving your cyber security challenges.