Site icon Check Point Blog

RampantKitten: An Iranian Surveillance Operation unraveled

Check Point Research has unraveled an ongoing surveillance operation by Iranian entities that has been targeting Iranian expats and dissidents for years. While some individual sightings of this attack were previously reported by other researchers and journalists, our investigation allowed us to connect the several different campaigns and attribute all of them to the same attackers.

Among the different attacks we found were:

The above tools and methods appear to be mainly used against Iranian minorities, anti-regime organizations and resistance movements such as:

Initial Infection & Infection Chain

We first encountered a document with the name “وحشت_رژیم_از_گسترش_کانونهای_شورشی.docx”, which roughly translates to “The Regime Fears the Spread of the Revolutionary Cannons.docx”. The title of the document was referring to the ongoing struggle between the Iranian regime and the Revolutionary Cannons, a Mujahedin-e Khalq movement. The above document leverages the external template technique, which allows it to load a document template from an external remote server.

After the victim opens the document and the remote template is downloaded, the malicious macro code in that template executes a batch script which tries to download and execute the next stage payload. The payload then checks if Telegram is installed on the infected machine, and if so it proceeds to extract three additional executables.

The main features of the malware include:

Infection chain

Telegram phishing page

Phishing message sent from fake Telegram account

Conclusion

By following the tracks of this attack we revealed a large-scale operation that has largely managed to remain under the radar for at least six years. According to the evidence we have gathered, the threat actors, who appear to be operating from Iran, have been taking advantage of multiple attack vectors to spy on their victims, attacking victims’ personal computers and mobile devices, and their supposedly private, secure communications via Telegram and other social networks.

Since most of the targets we identified are Iranian nationals, it appears that in common with other attacks attributed to the Islamic Republic, this might be yet another case in which Iranian threat actors are collecting intelligence on potential opponents to the regime.

SandBlast Mobile provides real-time threat intelligence and visibility into mobile threats, protecting from malware, phishing, Man-in-the-Middle attacks, OS exploits, and more.

Check Point’s anti-phishing solutions include products that address all of the attack vectors from which phishing attacks come – email, mobile, endpoint and network.

To read the full research go to: https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/

 

Exit mobile version