RampantKitten: An Iranian Surveillance Operation unraveled

Check Point Research has unraveled an ongoing surveillance operation by Iranian entities that has been targeting Iranian expats and dissidents for years. While some individual sightings of this attack were previously reported by other researchers and journalists, our investigation allowed us to connect the several different campaigns and attribute all of them to the same attackers.

Among the different attacks we found were:

  • Four variants of Windows infostealers intended to steal victims’ personal documents as well as access their Telegram Desktop and KeePass account information
  • An Android backdoor that extracts two-factor authentication codes from SMS messages, records the phone’s voice surroundings, and more
  • Malicious Telegram phishing pages, distributed using fake Telegram service accounts

The above tools and methods appear to be mainly used against Iranian minorities, anti-regime organizations and resistance movements such as:

  • Association of Families of Camp Ashraf and Liberty Residents (AFALR)
  • Azerbaijan National Resistance Organization
  • Balochistan citizens

Initial Infection & Infection Chain

We first encountered a document with the name “وحشت_رژیم_از_گسترش_کانونهای_شورشی.docx”, which roughly translates to “The Regime Fears the Spread of the Revolutionary Cannons.docx”. The title of the document was referring to the ongoing struggle between the Iranian regime and the Revolutionary Cannons, a Mujahedin-e Khalq movement. The above document leverages the external template technique, which allows it to load a document template from an external remote server.

After the victim opens the document and the remote template is downloaded, the malicious macro code in that template executes a batch script which tries to download and execute the next stage payload. The payload then checks if Telegram is installed on the infected machine, and if so it proceeds to extract three additional executables.

The main features of the malware include:

  • Information Stealer
    • Uploads relevant Telegram files from victim’s computer. These files allow the attackers to make full usage of the victim’s Telegram account
    • Steals information from KeePass application
    • Uploads any file it could find which ends with pre-defined extensions
    • Logs clipboard data and takes desktop screenshots
  • Module Downloader
    • Downloads and installs several additional modules which we could not reach during our investigation
  • Unique Persistence
    • Implements a persistence mechanism based on Telegram’s internal update procedure

Infection chain

Telegram phishing page

Phishing message sent from fake Telegram account

Conclusion

By following the tracks of this attack we revealed a large-scale operation that has largely managed to remain under the radar for at least six years. According to the evidence we have gathered, the threat actors, who appear to be operating from Iran, have been taking advantage of multiple attack vectors to spy on their victims, attacking victims’ personal computers and mobile devices, and their supposedly private, secure communications via Telegram and other social networks.

Since most of the targets we identified are Iranian nationals, it appears that in common with other attacks attributed to the Islamic Republic, this might be yet another case in which Iranian threat actors are collecting intelligence on potential opponents to the regime.

SandBlast Mobile provides real-time threat intelligence and visibility into mobile threats, protecting from malware, phishing, Man-in-the-Middle attacks, OS exploits, and more.

Check Point’s anti-phishing solutions include products that address all of the attack vectors from which phishing attacks come – email, mobile, endpoint and network.

To read the full research go to: research.checkpoint.com