Iran's RampantKitten spy crew were snooping on expats and dissidents for six years
So says Check Point, piecing together Telegram-busting malware clues
Infosec outfit Check Point says it has uncovered a six-year Iranian cyber-spying campaign directed at expats and dissidents worldwide.
The Iranian crew, nicknamed RampantKitten, used a variety of infostealers to help themselves to targets' files, as well as extracting passwords from management software KeePass and breaking into Telegram Desktop installations.
A malicious Android app posing as a translation app for Farsi speakers in Sweden to pass local driving tests was also deployed to steal data from expats and potential anti-Iranian-regime dissidents.
"The handpicked targets included supporters of Mujahedin-e Khalq and the Azerbaijan National Resistance Organization, two prominent resistance movements that advocate the liberation of Iranian people and minorities within Iran," said Check Point in its research report on RampantKitten.
Lotem Finkelsteen, a threat intelligence manager at Check Point, said in a canned statement: "Instant messaging surveillance, especially on Telegram, is something everyone should be cautious and aware of. Second, the mobile, PC and web phishing attacks were all connected to the same operation. These operations are managed according to intelligence and national interests, as opposed to technological challenges."
A URL very closely resembling a legitimate SharePoint server was used to distribute the malware, which was disguised as a legitimate document about an anti-Ayatollah organisation based in Albania and composed of Iranian exiles.
The malware compromised the Telegram accounts before uploading Telegram files, as well as "any file it could find which ends with pre-defined extensions" to servers controlled by the attackers, in addition to screenshotting the Windows desktop and logging clipboard data. It achieved persistence by copying the main Telegram executable into a new folder, triggering the automatic update process for the program once started by a legitimate user. A malware payload replaces the default Telegram updater file with malware, running the malware itself again every time Telegram is reopened.
Check Point said it found variations of the malware dating back to 2014, speculating that other publicly known attacks originating from Iran or targeting Iranian-linked victims may have come from the RampantKitten crew as well.