Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Iran-Linked Hackers Expand Arsenal With New Android Backdoor

The Iran-linked hacking group named Charming Kitten has added a new Android backdoor to its arsenal and successfully compromised individuals associated with the Iranian reformist movement, according to security researchers with IBM’s X-Force threat intelligence team.

The Iran-linked hacking group named Charming Kitten has added a new Android backdoor to its arsenal and successfully compromised individuals associated with the Iranian reformist movement, according to security researchers with IBM’s X-Force threat intelligence team.

Also tracked as Phosphorus, TA435, and ITG18, Charming Kitten has been active since at least 2011, targeting government organizations, journalists, activists, and various other entities, including the World Health Organization (WHO), and presidential campaigns.

Last year, the group accidentally exposed approximately 40 GB of videos and other content associated with its operations, including training videos on how to exfiltrate data from online accounts, and clips detailing the successful compromise of certain targets.

Between August 2020 and May 2021, it conducted successful attacks against targets aligned with the Iranian reformist movement, but also continued to make various operational security errors, IBM reveals.

Dubbed LittleLooter, the recently discovered Android backdoor appears to be exclusive to Charming Kitten, providing the threat actor with extensive information-stealing capabilities, including video and live screen recording, number calling, file upload/download, voice call recording, GPS data gathering, device information harvesting, browser history harvesting, connectivity manipulation, contact information stealing, picture snapping, and retrieving SMS and call list details.

The observed activity, IBM says, aligns with the group’s “long-standing operations against Iranian citizens of interest.” As part of the activity, the hackers “exfiltrated roughly 120 gigabytes of information from approximately 20 individuals aligned with the Reformist movement in Iran,” using legitimate utilities associated with the hacked accounts.

IBM says it did not observe how the group compromised the targeted accounts, but believes that LittleLooter or phishing/social engineering might have been employed to harvest account credentials from their targets. The stolen information includes photos, contact lists, conversations, and group memberships.

“The information X-Force has gleaned on ITG18’s activity, in conjunction with the training videos X-Force found in the summer of 2020, continues to paint a picture of a threat actor that likely leverages a considerable number of personnel. This is underpinned by how manual and labor-intensive ITG18 operations appear to be, from gaining initial access to individual victim accounts to carefully reviewing exfiltrated data,” IBM notes.

Advertisement. Scroll to continue reading.

The security researchers point out that the group often goes beyond just sending phishing messages to its victims, attempting to chat, call, and even video conference with the victims, which suggests hands-on work from numerous operators.

This year, IBM discovered more than 60 servers employed by the group to host over 100 phishing domains, suggesting a large number of victims. What the researchers couldn’t estimate, however, is how many operators the group has.

“X-Force alone has observed almost 2 terabytes of compressed exfiltrated data on publicly accessible ITG18 servers since 2018. This likely represents only a small portion of the data actually stolen by this adversary,” IBM notes.

Related: Iranian Hackers Impersonate British Scholars in Recent Campaign

Related: Iranian Hackers Target Medical Personnel in US, Israel

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...