A mobile spyware has been found in the wild that is targeting primarily Iranian citizens with some evidence that the Iranian government might be involved. As such the operation was dubbed as Domestic Kitten by the Check Point Researchers who discovered it as ‘Kitten’ follows the common APT nomenclature for the Iranian groups.
Who Are The Main Victims Of The Campaign?
The campaign appears to have been mainly targeting ISIS supporters and also the members of the Kurdish ethnic group residing within Iran. To attract the victims of interest the threat actor has been using the watering-hole approach using the carefully developed fake android application which is loaded with spyware to collect the sensitive information about the users. You can read Check Point’s research brief regarding Domestic Kitten here.
How Many Users Were Affected?
More than 240 users have fallen victim to this spyware according to the data from the spyware. While the number of the direct victims is limited but there are a lot of indirect victims affected by this operation as the full contact list in the victim’s mobile device is being extracted by the spyware.
Once the malware is downloaded and installed in the mobile device it picks up the contacts list in the victim’s mobile device, records phone calls, SMS messages, browser history and the data in the external storage.
The entire data is loaded into an AES encrypted archive Zip file and sends it to the command and control centre using the HTTP POST Request.
“Interestingly, the log documentation includes the name of the malicious application used to prevent the victims’ data, as well as an Application Code Name field,” the researchers said. “This field carries a short description of the app, which leads us to believe that this is a field used by the attackers to instantly recognize the application utilised by the victim. Observed code names include Daesh4 (ISIS4), Military News, Weapon2, Poetry Kurdish.”
Who Is Thought To Be Behind The Campaign?
The Check Point researchers have stated that it is their belief that the Iranian Government is behind this malware – they state;
“While the exact identity of the actor behind the attack remains unconfirmed, current observations of those targeted, the nature of the apps and the attack infrastructure involved leads us to believe this operation is of Iranian origin. In fact, according to our discussions with intelligence experts familiar with the political discourse in this part of the world, Iranian government entities, such as the Islamic Revolutionary Guard Corps (IRGC), Ministry of Intelligence, Ministry of Interior and others, frequently conduct extensive surveillance of these groups.”
Source » latesthackingnews