Enlarge /. The rampant kitty has targeted Telegram like a cat to yarn.
Researchers said they uncovered an ongoing surveillance campaign that has been stealing a wide variety of data on Windows and Android devices used by Iranian expatriates and dissidents for years.
The campaign, which the security firm Check Point Rampant Kitten has named, has two main components, one for Windows and one for Android. Rampant Kitten's goal is to steal telegram messages sent via SMS, passwords and two-factor authentication codes, and then take screenshots and record sounds within earshot of an infected phone, the researchers said in a post published Friday.
The Windows Infostealer is installed via a Microsoft Office document with a title that roughly translates as "The regime fears the spread of the revolutionary cannons.docx". Once opened, readers are prompted to enable macros. If a user meets the requirements, a malicious macro downloads and installs the malware. The Android Infostealer is installed via an app that disguises itself as a service to help Persian speakers in Sweden get their driver's license.
"According to the evidence gathered, the threat actors who apparently operate from Iran use several attack methods to spy on their victims and to attack the victims' PCs and mobile devices," the Check Point researchers wrote in a lengthy report published on Friday. "Since most of the targets we have identified are Iranians, this appears to be another case, similar to other attacks attributed to the Islamic Republic, in which Iranian threat actors are gathering information about potential opponents of the regiment."
The Windows Infostealer is particularly interested in Telegram. Fake Telegram service accounts transmit phishing pages that are supposed to be official Telegram login pages. The malware also looks for messages stored in Telegram for Windows if it is installed on infected computers. In order to survive a restart, according to Check Point, the Infostealer hijacks the update process for Telegram for Windows by replacing the official Updater.exe file with a malicious one. (I tried asking Telegram officials if the service uses code signature to prevent such tampering, but failed to reach anyone.)
Passwords, messages and conversations are ours
Check Point said other features of the Windows malware are included:
- Uploads relevant telegram files from the victim's computer. With these files, the attackers can make full use of the victim's telegram account
- Steals information from the KeePass Password Manager application
- Uploads any file found that ends with predefined extensions
- Logs clipboard data and takes desktop screenshots
As mentioned earlier, the Android backdoor targets one-time passwords sent via SMS and records nearby conversations. According to Check Point, evidence from passive DNS records logging other domains that used the same IP address as in Rampant Kitten suggests that the attackers have been active since at least 2014.
A separate report from the Miaan Group, a human rights organization focused on digital security in the Middle East, repeated the research and added details, including the exfiltration of the malware's data from the WhatsApp Messenger.
"Since the beginning of 2018, Miaan researchers have been tracking malware used in a number of cyberattacks on Iranian dissidents and activists," wrote researchers at the organization. "Research has uncovered hundreds of victims of malware and phishing attacks that stole data, passwords, personal information and more." It was not clear whether this malware contained the infostealers described by Check Point.
Readers should remember that the ability to extract Telegram, KeePass, or WhatsApp data from an infected computer is not automatically indicative of particularly sophisticated malware or a bug in the target applications. To be useful, all three applications must decrypt content when a user needs it. This moment gives malware that is already installed an opportunity to get information. Users should remember that there are seldom good reasons to enable macros in Office documents and that messages they allow are a red flag.
Both reports contain comprehensive indicators of tradeoffs that employees can use to determine if they have been targeted.