Rampant Kitten: An Iranian surveillance campaign
14:35 – 15:05 Thursday 3 December, 2020
The Iranian regime has long been known for its attempts to subdue internal struggles and suppress any kind of resistance against the authorities. An interesting malicious document we found targeting Mujahedin-e Khalq, a prominent Iranian resistance movement, showed that those struggles are also reflected in the threat landscape. We were able to gradually expose the activity of a versatile threat group, which we called Rampant Kitten, which has been operating covertly for at least six years. Investigating this malicious activity made the motivations behind this attack very clear: Conducting surveillance and spying on Iranian minorities, anti-regime organizations, and resistance movements.
The attackers were running several campaigns simultaneously, and among the different attack vectors we found were:
- Variants of a Windows infostealer intended to steal the victims’ personal documents as well as access their Telegram and KeePass account information
- An Android backdoor that extracts two-factor authentication codes from SMS messages, records the phone’s voice surroundings, and more
- Phishing pages impersonating Telegram, distributed using fake Telegram service accounts
In this talk, we will take a deep dive into Rampant Kitten’s tactics, techniques and procedures (TTPs), and dissect the multiple attack vectors and payloads used by this group. Then, we will take a look into this threat group’s activity and evolution over the years. Lastly, we will share our insights into the attackers’ infrastructure, and the clues that might indicate where they are operating from.
Israel Gubi is a Security Researcher and Reverse Engineer in the Malware Research Team at Check Point Research. Israel has joined Check Point in 2017 and was part of the first cycle of the Check Point Security Academy.
Israel mainly focuses on malware analysis and malware hunting of both cybercrime and Advanced Persistent Threat campaigns. In his free time, Israel loves any kind of sports, especially tennis and bouldering.
Yuval Sadowsky is a malware analyst in the Threat Intelligence group of Check Point Research. He started out as a student in the Check Point Security Academy in 2018.
Yuval’s research is focused on the APT landscape, tracking espionage motivated operations and hunting for new and undetected threat groups.
Sponsors and Supporting Organizations
Networking Lounge Sponsor