The attacker, who is suspected of being of Iranian origin, is said to have orchestrated the campaign targeting Windows and Android systems using a wide range of hacking tools in the form of information-stealing tools and backdoors designed to steal personal documents, passwords, Telegram messages and two-factor authentication codes from SMS messages. .
The operation, dubbed “Rampant Kitten,” has used a malware toolkit against Iranian minorities, anti-regime organizations and resistance movements, such as (AFALR), Azerbaijan National Resistance Organization, Citizens of Balochistan.
According to the cybersecurity company, the chain of infection was traced for the first time through a Microsoft Word document entitled “The System Fears Spread of Revolutionary Guns” containing malware that tries to infect Iranian opponents.
When opened, the document verifies the presence of the Telegram application on the Windows system, and in the case of the Telegram application, the document downloads three additional malicious executables to access the auxiliary units and extract the relevant Telegram and KeePass files from the victim’s computer.
In doing so, an attacker can hijack an individual’s Telegram account and steal messages, as well as collect all files with the specified extensions and transfer them to a server under his control.
Research also confirms consultation From the US Cybersecurity and Infrastructure Security Agency (CISA) earlier this week.
This consultation explained that Iranian attackers use PowerShell files to gain access to encrypted password data stored by the password manager (KeePass).
Furthermore, information was stolen from Telegram accounts using a separate technology that includes hosted phishing pages that impersonate Telegram that use fake feature update messages to gain unauthorized access to the accounts.
On the other hand, the back door for Android is installed through an app masquerading as a service to help Persian speakers in Sweden obtain their driver’s license.
The application is designed to intercept all SMS messages and transmit them to a phone number received from the command and control server (C2), allowing the attacker to obtain the victim’s account data.
(Check Point) said: It has revealed many types of malware dating back to 2014, with some versions being used simultaneously, but it shows major differences between them.
Given the carefully selected nature of the “Rampant Kitten” targets, such as the MEK and the Azerbaijan National Resistance Organization (ANRO), it is likely that infiltrators would act at the request of the Iranian government.