peterzayda - stock.adobe.com

Rampant Kitten spent six years hacking Iranian dissidents

Details emerge of an ongoing campaign by Tehran-backed threat actors targeting dissidents and activists

Check Point threat researchers have published new disclosures on the activities of Rampant Kitten, an Iranian state-backed advanced persistent threat (APT) group that has conducted a six-year hacking campaign in order to spy on its victims, including dissidents and members of the global Iranian diaspora.

Targeting two main applications – secure messaging app Telegram Desktop and password manager KeePass – Rampant Kitten predominantly uses malware-laced documents to lure its targets into infecting their devices so they can steal credentials and take over accounts, as well as logging clipboard data and taking desktop screenshots.

They use a persistence mechanism based on Telegram’s internal update procedure in order to maintain a foothold in their victims’ devices.

“After conducting our research, several things stood out,” said Check Point threat intelligence manager Lotem Finkelsteen. “First, there is a striking focus on instant messaging surveillance. Although Telegram is undecryptable, it is clearly hijackable. Instant messaging surveillance, especially on Telegram, is something everyone should be cautious and aware of.

“Second, the mobile, PC and web phishing attacks were all connected to the same operation. These operations are managed according to intelligence and national interests, as opposed to technological challenges. We will continue to monitor different geographies across the world to better inform the public around cyber security.”

Check Point said a number of the websites linked to Rampant Kitten’s activity hosted phishing pages impersonating Telegram – several genuine Iranian Telegram channels had actually issued warnings to their users about these phishing sites, claiming the regime was behind them.

Phishing messages sent from the fake Telegram site warned their recipients that they were making improper use of Telegram’s service, and that their account would be blocked if they did not click on the phishing link.

The investigation also uncovered evidence of a malicious Android application linked to Rampant Kitten, which masquerades as a service designed to help Persian-speakers living in Sweden obtain a driver’s licence.

In reality, the app acts as a backdoor, enabling the malicious actors to steal SMS messages, forward two-factor authentication SMS confirmation messages to a phone number controlled by them, exfiltrate contact and account details, as well as device information such as installed apps and running processes, initiate voice recordings of the compromised device’s immediate surroundings, and perform Google account phishing.

Read more about APT activity

Check Point’s latest disclosures come just days after the US Department of Justice charged two Iranian nationals, Hooman Heidarian and Mehdi Farhadi, in a 10-count indictment accusing them of conducted a coordinated hacking campaign against targets in the US, Europe and the Middle East that included dissidents, human rights activists and opposition leaders.

“These Iranian nationals allegedly conducted a wide-ranging campaign on computers here in New Jersey and around the world,” said US attorney Craig Carpenito for the District of New Jersey. “They brazenly infiltrated computer systems and targeted intellectual property and often sought to intimidate perceived enemies of Iran, including dissidents fighting for human rights in Iran and around the world.

“This conduct threatens our national security, and as a result, these defendants are wanted by the FBI and are considered fugitives from justice.”

Among their victims were universities, think-tanks, defence contractors, foreign policy organisations, NGOs, non-profits and other entities identified as “rivals or adversaries” of the Iranian regime.

Besides stealing confidential data, the attackers vandalised websites and posted messages that appeared to signal the demise of Iran’s enemies and its internal opposition.

They accessed their victims’ systems using various methods, including session hijacking and SQL injection. They then used keyloggers and remote-access trojans (Rats) to maintain access and monitor users. They are also accused of developing a botnet tool that facilitated the spread of malware and enabled them to conduct denial-of-service attacks.

Read more on Hackers and cybercrime prevention