Researchers said they have uncovered an ongoing surveillance campaign that for years has been stealing a wide range of data on Windows and Android devices used by Iranian expatriates and dissidents.
The campaign, which security firm Check Point has named Rampant Kitten, comprises two main components, one for Windows and the other for Android. Rampant Kittens objective is to steal Telegram messages, passwords, and two-factor authentication codes sent by SMS and then also take screenshots and record sounds within earshot of an infected phone, the researchers said in a post published on Friday.
The Windows infostealer is installed through a Microsoft Office document with a title that roughly translates to “The Regime Fears the Spread of the Revolutionary Cannons.docx.” Once opened, it urges readers to enable macros. If a user complies, a malicious macro downloads and installs the malware. The Android infostealer is installed through an app that masquerades as a service to help Persian-language speakers in Sweden get their drivers license.
“According to the evidence we gathered, the threat actors, who appear to be operating from Iran, take advantage of multiple attack vectors to spy on their victims, attacking victims personal computers and mobile devices,” Check Point researchers wrote in a longer report also published on Friday. “Since most of the targets we identified are Iranians, it appears that similarly to other attacks attributed to the Islamic Republic, this might be yet another case in which Iranian threat actors are collecting intelligence on potential opponents to the regiment.”
The Windows infostealer takes a particular interest in Telegram. Fake Telegram service accounts push phishing pages that purport to be official Telegram login sites. The malware also seeks out messages stored in Telegram for Windows when its installed on infected computers. To survive reboots, Check Point said, the infostealer hijacks the Telegram for Windows update process by replacing the official Updater.exe file with a malicious one. (I attempted to ask Telegram officials if the service uses code signing to prevent such tampering but didnt succeed in reaching anyone.)
Passwords, messages, and conversations are all ours
Check Point said other features of the Windows malware included:
- Uploads relevant Telegram files from victims computer. These files allow the attackers to make full usage of the victims Telegram account
- Steals information from KeePass password manager application
- Uploads any file it can find which ends with pre-defined extensions
- Logs clipboard data and takes desktop screenshots
As noted earlier, the Android backdoor targets SMS-sent one-time passwords and records nearby conversations. Check Point said evidence from passive DNS records—which log other domains that have used the same IP address used in Rampant Kitten—suggested that the attackers have been active since at least 2014.