Check Point details Iranian hacker group’s ongoing espionage campaign
The hacker group nicknamed ‘Rampant Kitten’ has developed an Android backoor that steals 2FA codes, and ran phishing programs on Telegram as well.
Check Point Research revealed details on an Iranian hacker group that has developed tools to steal information from Windows systems, Telegram and even via SMS. According to the researchers at Check Point, these hacking tools were primarily used against Iranian minorities, anti-regime organisations and resistance movements.
Check Point researchers have named this hacker group “Rampant Kitten”, and they've been active for around six years. In a report, Check Point detailed the different hacking tools deployed by the group. One includes four variants of Windows infostealers that can steal the user's personal documents. It can also get access to the user's Telegram desktop app, and KeePass account information as well.
The hackers also developed an Android backdoor that can extract two-factor authentication codes from SMS messages. This Android backdoor is disguised as an app that helps Persian speakers in Sweden get their driver's license. In addition to 2FA, it can also gain access to personal information like contacts and account details, device information and activate voice recording. It can even perform Google account phishing attacks.
Telegram is another popular platform for these hackers to exploit. In some cases, the hackers posed as the official Telegram account and hosted phishing pages on the platform. Similar to the authentic Telegram account, this one too would start out by sending messages of the app's updates. It was only after a few days that the account would send phishing messages. The messages warned users of their accounts being reported for misusing Telegram, and they have to verify their account by clicking on a link.
Considering the groups that are targeted by this hacking group, Check Point's report highlights that the hackers want to understand the behaviour and activities of the victims. Check Point suspects another similar case to occur where hackers try to get information on the same group of people.