Check Point specialists spoke about the hacker group Rampant Kittenwho has followed Iranian opposition organizations, dissidents and expats for at least six years. The researchers emphasize that separate attacks from this group have previously been reported by other companies and journalists, but the Check Point investigation has allowed several campaigns to be linked together and correlated with Rampant Kitten.
For their operations, the hackers used a variety of malware, including four info-stealers for Windows that spread through malicious Microsoft Office documents, and an Android backdoor, which usually lurked inside malicious applications. In particular, the malware was found in an application that helped Persian speakers in Sweden obtain a driver's license.
Windows malware was primarily used to steal victims' personal documents, as well as Telegram desktop client files, which ultimately allowed hackers to gain access to a user's account. In addition, the malware stole files from the KeePass password manager, intercepted data in the clipboard, and took screenshots.
Although the main malware Rampant Kitten targeted Windows, researchers also found a powerful backdoor for Android. This malware can steal a victim's contact list and SMS messages, as well as discreetly spy on the user through the device's microphone, take screenshots and lure them to phishing pages.
At the same time, the hackers clearly paid special attention to the interception of SMS messages, namely two-factor authentication codes. For example, malware intercepted and forwarded to attackers any messages containing the string "G-", which is usually used as a prefix in 2FA codes for Google accounts. Apparently, at the same time, the hackers used Android malware to show the victim a Google phishing page to find out the user's credentials and then gain access to his account (after all, the two-factor authentication code was not a problem).
It was also noticed that the malware automatically forwards any incoming SMS messages from Telegram and other social networking applications to attackers. Such messages also contain 2FA codes, that is, the group was definitely interested not only in other people's Google accounts.
“After doing our research, we noticed a few things. Firstly, special attention was paid to the surveillance of instant messaging. Although Telegram cannot be decrypted, it can be compromised. Second, mobile, PC, and phishing attacks were all part of the same operation, ”comments Check Point specialist Lotem Finkelsteen.