Researchers at security firm CheckPoint uncovered an extensive surveillance operation conducted by Iranian APT actor and tracked as Domestic Kitten aimed at specific groups of individuals.
Cyber spies used malicious mobile apps that collect sensitive information on the target device and implements specific features to spy on the victims, such as recording the surrounding voices.
The attackers are spying on Iranian individuals that are Kurdish and Turkish natives, and ISIS supporters.
“Through the use of mobile applications, those behind the attack use fake decoy content to entice their victims to download such applications, which are in fact loaded with spyware, to then collect sensitive information about them.” reads the analysis published by CheckPoint.
“Interestingly, these targets include Kurdish and Turkish natives and ISIS supporters. Most interesting of all, though, is that all these targets are actually Iranians citizens.”
The list of information collected from the compromised devices is long and includes:
The threat actor uses decoy applications which are believed to be of interest to the targets. The researchers discovered ISIS branded wallpaper changer, “updates” from the ANF Kurdistan news agency and a fake version of the Vidogram messaging app.
All the applications used in the campaign have the same certificate that was issued in 2016, the researchers confirmed that the extensive and targeted attacks are going on since 2016 and, until now, have remained under the radar due to the artful deception of the attackers towards their targets
The wallpaper changer aimed at the ISIS supported is designed to lure them by offering ISIS-related pictures to set as the screen background.
Data exfiltrated from the victim’s device are transferred to the C&C server via HTTP POST requests, it is encrypted with the AES algorithm and can be decrypted with a device ID that is unique for each victim.
One of the applications connects firmwaresystemupdate[.]com that is a newly registered website that was seen initially to resolve to an Iranian IP address but that later switched to a Russian address.
CheckPoint published the victim distribution, the cyberspies infected devices of at least 240 users most of them are Iranians (97%), the remaining are from in Afghanistan, Iraq and Great Britain.
“While the number of victims and their characteristics are detailed above, the number of people affected by this operation is actually much higher. This is due to the fact that the full contact list stored in each victim’s mobile device, including full names and at least one of their phone numbers, was also harvested by the attackers.” continues the analysis.“In addition, due to phone calls, SMS details, as well as the actual SMS messages, also recorded by the attackers, the private information of thousands of totally unrelated users has also been compromised.”
This means that the Domestic Kitten surveillance operation had collateral victims whose details were leaked from contact lists or conversations with the targets.
The researchers attributed the surveillance activity to the Iranian regime based on the political conditions in the region and the nature of the targets that pose a threat to the stability of the Government.
“Indeed, these surveillance programs are used against individuals and groups that could pose a threat to the stability of the Iranian regime. These could include internal dissidents and opposition forces, as well as ISIS advocates and the Kurdish minority settled mainly in Western Iran,” CheckPoint concludes.