Domestic Kitten – An Iranian surveillance operation under the radar since 2016

CheckPoint uncovered an extensive surveillance operation conducted by Iranian APT actor and tracked as Domestic Kitten aimed at specific groups of individuals.

Researchers at security firm CheckPoint uncovered an extensive surveillance operation conducted by Iranian APT actor and tracked as Domestic Kitten aimed at specific groups of individuals.

Cyber spies used malicious mobile apps that collect sensitive information on the target device and implements specific features to spy on the victims, such as recording the surrounding voices.

The attackers are spying on Iranian individuals that are Kurdish and Turkish natives, and ISIS supporters.

“Through the use of mobile applications, those behind the attack use fake decoy content to entice their victims to download such applications, which are in fact loaded with spyware, to then collect sensitive information about them.” reads the analysis published by CheckPoint.

“Interestingly, these targets include Kurdish and Turkish natives and ISIS supporters. Most interesting of all, though, is that all these targets are actually Iranians citizens.”

The list of information collected from the compromised devices is long and includes:

• contact lists
• call records
• text and multimedia messages
• browser history and bookmarks
• geographical location
• photos
• recordings of nearby conversations
• list of installed apps
• clipboard content
• data on external storage

The threat actor uses decoy applications which are believed to be of interest to the targets. The researchers discovered ISIS branded wallpaper changer, “updates” from the ANF Kurdistan news agency and a fake version of the Vidogram messaging app.

All the applications used in the campaign have the same certificate that was issued in 2016, the researchers confirmed that the extensive and targeted attacks are going on since 2016 and, until now, have remained under the radar due to the artful deception of the attackers towards their targets

The wallpaper changer aimed at the ISIS supported is designed to lure them by offering ISIS-related pictures to set as the screen background.

Data exfiltrated from the victim’s device are transferred to the C&C server via HTTP POST requests, it is encrypted with the AES algorithm and can be decrypted with a device ID that is unique for each victim.

One of the applications connects firmwaresystemupdate[.]com that is a newly registered website that was seen initially to resolve to an Iranian IP address but that later switched to a Russian address.

CheckPoint published the victim distribution, the cyberspies infected devices of at least 240 users most of them are Iranians (97%), the remaining are from in Afghanistan, Iraq and Great Britain.

“Indeed, these surveillance programs are used against individuals and groups that could pose a threat to the stability of the Iranian regime. These could include internal dissidents and opposition forces, as well as ISIS advocates and the Kurdish minority settled mainly in Western Iran,” CheckPoint concludes.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Domestic Kitten, surveillance)

[adrotate banner=”5″]

[adrotate banner=”13″]