<— Back

Rampant Kitten: An Iranian surveillance campaign

14:35 – 15:05 Thursday 3 December, 2020

The Iranian regime has long been known for its attempts to subdue internal struggles and suppress any kind of resistance against the authorities. An interesting malicious document we found targeting Mujahedin-e Khalq, a prominent Iranian resistance movement, showed that those struggles are also reflected in the threat landscape. We were able to gradually expose the activity of a versatile threat group, which we called Rampant Kitten, which has been operating covertly for at least six years. Investigating this malicious activity made the motivations behind this attack very clear: Conducting surveillance and spying on Iranian minorities, anti-regime organizations, and resistance movements.

The attackers were running several campaigns simultaneously, and among the different attack vectors we found were:

• Variants of a Windows infostealer intended to steal the victims’ personal documents as well as access their Telegram and KeePass account information
• An Android backdoor that extracts two-factor authentication codes from SMS messages, records the phone’s voice surroundings, and more
• Phishing pages impersonating Telegram, distributed using fake Telegram service accounts

In this talk, we will take a deep dive into Rampant Kitten’s tactics, techniques and procedures (TTPs), and dissect the multiple attack vectors and payloads used by this group. Then, we will take a look into this threat group’s activity and evolution over the years. Lastly, we will share our insights into the attackers’ infrastructure, and the clues that might indicate where they are operating from.