Iranian Group Found Spying on Dissidents
An Iran linked group, named Rampant Kitten by researchers, has been discovered targeting anti-regime organizations in a campaign that has likely been running since 2014.
The primary targets include supporters of Mujahedin-e Khalq (MEK) and the Azerbaijan National Resistance Organization, two prominent resistance movements that advocate the liberation of Iranian people and minorities within Iran. These targets, together with WHOIS records suggesting that associated malicious websites had been registered by Iranian individuals, and the discovery of one registrant’s email address linked to Iranian hacking forums, is enough for the Check Point researchers to conclude that Rampant Kitten is an Iranian group, which itself implies a link to the Iranian government. Its purpose is to seek intelligence on members of the dissident groups and their activities.
The attack vectors used in the campaign, which has largely remained under the radar for six years, include four variants of Windows infostealers (stealing documents, and Telegram Desktop and KeePass account information); an Android backdoor used to steal 2FA codes from SMS messages and take voice recordings; and Telegram phishing pages distributed using fake Telegram service accounts.
The campaign was initially uncovered by the discovery of a document targeting the MEK in Albania. The MEK had originally been headquartered in Iraq, but following mounting political tensions had moved to Albania. The malicious document uses an external template downloaded from a remote server. The template contains a macro that executes a batch script that attempts to download the next stage payload. The payload checks to see if Telegram is installed, and if so, extracts three additional executables from its resources. These are the Loader, which injects the main payload into explorer.exe; an infostealer payload; and updater.exe, which is a modified Telegram updater.
The last provides a unique persistence mechanism, based on Telegram’s internal update procedure. Periodically, the malware copies the Telegram main executable into ‘Telegram Desktoptupdates’. This triggers an update procedure for the Telegram application once it starts. However, the default updater file (Telegram DesktopUpdater.exe) has already been amended, most notably to run the payload again.
Analysis of this payload led to the discovery of multiple variants dating back to 2014. This uncovered further websites operated by the same group. Some of these websites hosted phishing pages impersonating Telegram. Surprisingly, this phishing attack seems to have been known to Iranian Telegram users — several Iranian Telegram channels sent out warnings against the phishing sites, claiming that the Iranian regime is behind them. The channels suggested that the phishing messages were sent by a Telegram bot. The messages warned the recipients that they were making an improper use of Telegram’s services, and that their account will be blocked if they do not enter the phishing link.
The researchers also discovered a malicious Android app tied to the same attack group. The app masquerades as a service to help Persian speakers in Sweden get their driver’s license. Two versions have been discovered — one apparently compiled as a test version, and the other the release version to be deployed on the target device.
The Android backdoor can steal existing SMS messages; forward 2FA SMS messages to a phone number provided by the attacker-controlled C&C server; retrieve personal information like contacts and accounts details; initiate a voice recording of the phone’s surroundings; perform Google account phishing; and retrieve device information such as installed applications and running processes.
Lotem Finkelsteen, Manager of Threat Intelligence at Check Point, commented, “After conducting our research, several things stood out. First, there is a striking focus on instant messaging surveillance. Although Telegram is un-decryptable, it is clearly hijackable. Instant messaging surveillance, especially on Telegram, is something everyone should be cautious and aware of. Second, the mobile, PC and web phishing attacks were all connected to the same operation. These operations are managed according to intelligence and national interests, as opposed to technological challenges.”
Rampant Kitten appears to have been running this campaign largely undetected for at least six years. The targets seem to be dissidents associated with a number of anti-regime Iranian groups. It seems almost certain that this is another example of Iranian threat actors — quite possibly with some affiliation to the Iranian regime — collecting intelligence on potential opponents to the regime.