yber-warfare and espionage have long been common weapons in the arsenal of governments, armies, and intelligence agencies around the world. The Islamic Republic of Iran is no exception to this trend. With new discoveries made every year repeatedly attributed to groups within the republic, not only do we get insights into the technical inner workings of these groups, but also into the interests and the motives that drive their exploits.
Along with missions such as espionage or intelligence gathering, it seems that according to the attacks attributed to Iran over the last decade, an equally important mission is ideological. Sometimes these attacks come in response to a wide-ranging geopolitical conflict, and sometimes even involve long-standing religious tensions. However, Iranian cyber efforts that are ideological are not necessarily limited to distant enemies, and it seems that a considerable effort is actually invested in what the regime considers domestic threats.
While Iran is known to take aggressive cyber-actions to suppress protests, such as censoring or even shutting down its internet, the country is also associated with long-running cyber surveillance operations against dissidents, minorities and ideological exiles.
In these two research investigations, conducted in collaboration with SafeBreach, we reveal how two Iran-based advanced cyber groups have been conducting ongoing, extensive attacks against opposition groups in Iran and abroad for many years.
Same target – different approach
In this in-depth research, we uncover significant parts of two advanced Iranian cyber-groups – Domestic Kitten and Infy. Both groups have conducted long-running cyber-attacks and intrusive surveillance campaigns, which target both individuals’ mobile devices and personal computers. The operators of these campaigns are clearly active, responsive and constantly seeking new attack vectors and techniques to ensure the longevity of their operations.
This campaign has been operating since 2016, focusing on targeting the mobile phones of Kurdish Iranian citizens, ISIS supporters and other perceived threats to the stability of the Iranian regime. Despite the reveal of “Domestic Kitten” by Check Point in 2018, the group behind it, APT-C-50 has continued to conduct extensive surveillance operations. In this research, we reveal the extent of the operations, the multiple campaigns executed by APT-C-50, their delivery methods, and an analysis of the targeted individuals. In addition, we provide a technical analysis of the ‘FurBall’ malware used since the beginning of the operation, its origin, and the techniques we observed that are used to conceal the malware’s true nature. This operation consists of 10 unique campaigns, which have targeted over 1,200 individuals with more than 600 successful infections. It includes 4 currently active campaigns, the most recent of which began in November 2020.
What’s new?
Recent active campaigns – Modus Operandi
In these campaigns, victims are lured to install a malicious application by multiple vectors, including an Iranian blog site, Telegram channels, and even by SMS with a link to the malicious application.
In the newest ‘hass’ campaign, APT-C-50 mimics an application for the “Mohsen Restaurant” which is located in Tehran. Covers of the ‘mmh’ campaign include an ISIS supporter application and a repackaged version of ‘Exotic Flowers’ from Google Play. The methods used to deliver FurBall applications to victims also vary from one campaign to another. In some campaigns, we observed SMS messages with a link to download the malware, while in others an Iranian blog site hosted the payload. In another campaign, we assume that the application was shared in a Telegram channel.
Victims
As stated, the operation has targeted over 1,200 individuals with more than 600 successful infections. We were able to identify victims of the Domestic Kitten operation from various countries globally, including Iran (251 victims), the United States (25 victims), Great Britain (3 victims), Pakistan (19 victims), Afghanistan (8 victims), Turkey (1 victims), and Uzbekistan (2 victims). We have alerted relevant law enforcement agencies in the US and the UK and provided them with the accurate list of victims.
A sample of the information stolen from a victim’s mobile phone – shows live pictures from Teheran’s streets
This campaign has been researched jointly with SafeBreach Labs. Operating since 2007, probably the longest lasting Iranian threat actor, Infy previously attacked Iranian dissidents across multiple countries, Persian speaking media and diplomatic targets such as the Danish Foreign Ministry. The group’s level of control on internet traffic inside Iran indicated ties to the Telecommunication Company of Iran.
What’s new?
This report sheds new light on this long-lasting Iranian cyber operation, revealing new techniques used, their infrastructure, and their new modus operandi as well as common hiding techniques used in the campaign.
Key findings:
- A new, previously unknown, second stage malware with extended capabilities.
- A more mature form of the known “Infy” malware family.
- A review of recent C2 infrastructure including HTTP/FTP servers and RSA signatures.
Previously unknown tools, new modus operandi
Tonnerre and Foudre (Thunder & Lightning), the tools used by Infy, are also information stealing focused, but for Windows-based PCs. The tools employ voice-recording, file stealing from the PC and external storage along with other capabilities. Our research uncovered these previously unknown tools as well as other advanced techniques used by this group which clearly show how their operators constantly try to evolve and evade any possible interference of their operations.
During the first half of 2020, new versions of Foudre emerged with new documents designed to lure victims. These operate in a slightly different manner than before – instead of having the victim click on what appears to be a link to a video, the malware runs a macro once the victim closes the document. It seems that following a long downtime, the Iranian cyber attackers were able to regroup, fix previous issues and dramatically reinforce their OPSEC activities as well as the technical proficiency and abilities of their tools.
After lightning comes thunder
Tonnerre is used to expand the functionality of Foudre, possibly to make sure it is deployed only when needed, which could help it evade detection. Like Foudre, it is written in Delphi.
Its capabilities include:
- Stealing files from predefined folders as well as external devices.
- Executing commands from the C2(C2used by attackers to retain communications with compromised systems. It is usually the compromised system that initiates communication from inside a network to a command and control server on the public Internet server)
- Recording sound & Captures screen
Victims
This time around, Infy used Persian macro-embedded documents referencing to politicians and organizations in Iran. As we expect in targeted attacks we observed only a few dozen victims. Victims are from multiple countries such as Iraq (1 victim), Azerbaijan (1 victim), UK (1 victim), Russia (1 victim), Romania (1 victim), Germany (1 victim), Canada (1 victim), Turkey (3 victims), US (3 victims), Netherlands (4 victims) and Sweden (6 victims).
Conclusion
While both of the groups we investigated target similar victims and collect information of the same type, we consider the two groups to be independent. As such, we chose to share the information about the groups in two separate, detailed reports;
However, the intelligence collected by both threat groups might well serve the same function, and we cannot overlook the potential synergistic effect the two groups may have created over the years by presenting two different attack vectors to the same-targeted audience.
