Researchers said they have uncovered an ongoing surveillance campaign that for years has been stealing a wide range of data on Windows and Android devices used by Iranian expatriates and dissidents.
The campaign, which security firm Check Point has named Rampant Kitten, comprises two main components, one for Windows and the other for Android. Rampant Kitten’s objective is to steal Telegram messages, passwords, and two-factor authentication codes sent by SMS and then also take screenshots and record sounds within earshot of an infected phone, the researchers said in a post published on Friday.
The Windows infostealer is installed through a Microsoft Office document with a title that roughly translates to “The Regime Fears the Spread of the Revolutionary Cannons.docx.” Once opened, it urges readers to enable macros. If a user complies, a malicious macro downloads and installs the malware. The Android infostealer is installed through an app that masquerades as a service to help Persian-language speakers in Sweden get their driver’s license.
“According to the evidence we gathered, the threat actors, who appear to be operating from Iran, take advantage of multiple attack vectors to spy on their victims, attacking victims’ personal computers and mobile devices,” Check Point researchers wrote in a longer report also published on Friday. “Since most of the targets we identified are Iranians, it appears that similarly to other attacks attributed to the Islamic Republic, this might be yet another case in which Iranian threat actors are collecting intelligence on potential opponents to the regiment.”
The Windows infostealer takes a particular interest in Telegram. Fake Telegram service accounts push phishing pages that purport to be official Telegram login sites. The malware also seeks out messages stored in Telegram for Windows when it’s installed on infected computers. To survive reboots, Check Point said, the infostealer hijacks the Telegram for Windows update process by replacing the official Updater.exe file with a malicious one. (I attempted to ask Telegram officials if the service uses code signing to prevent such tampering but didn’t succeed in reaching anyone.)
Passwords, messages, and conversations are all ours
Check Point said other features of the Windows malware included:
- Uploads relevant Telegram files from victim’s computer. These files allow the attackers to make full usage of the victim’s Telegram account
- Steals information from KeePass password manager application
- Uploads any file it can find which ends with pre-defined extensions
- Logs clipboard data and takes desktop screenshots
As noted earlier, the Android backdoor targets SMS-sent one-time passwords and records nearby conversations. Check Point said evidence from passive DNS records—which log other domains that have used the same IP address used in Rampant Kitten—suggested that the attackers have been active since at least 2014.
A separate report published by the Miaan Group, a human rights organization that focuses on digital security in the Middle East, echoed the research and added details, including the exfiltration of the malware of data from the WhatsApp messenger.
“Since early 2018, Miaan researchers have been tracking malware used in a series of cyberattacks on Iranian dissidents and activists,” organization researchers wrote. “The research has uncovered hundreds of victims of malware and phishing attacks that stole data, passwords, personal information, and more.” It wasn’t clear if that malware included the infostealers detailed by Check Point.
Readers should remember that the ability to extract Telegram, KeePass, or WhatsApp data from an infected computer isn’t automatically an indication of especially sophisticated malware or a flaw in the targeted applications. To be useful, all three applications have to decrypt contents when a user needs it. That moment presents an opportunity for malware already installed to obtain the information. People should remember there are rarely good reasons to enable macros in Office documents and that messages to allow them is a red flag.
Both reports provide extensive indicators of compromise that people can use to determine if they’ve been targeted.