IBM: Campaign Targeted Reformists Before Election
A group dubbed “ITG18,” which apparently is linked to an Iranian advanced persistent threat group, deployed an Android backdoor it used to exfiltrate sensitive information from at least 20 reformists in Iran in the runup to the country’s June 18 presidential election, IBM’s Security Intelligence reports.
The malware campaign, which was active between August 2020 and May of this year, targeted individuals aligned with Iran’s reformist movement and used previously unseen Android malware called LittleLooter, according to the report.
The researchers note the malware, which was capable of recording video and audio, downloading files and exfiltrating SMS data, was likely deployed by the threat actors to support state-sponsored surveillance ahead of the June presidential election.
Among the apps targeted by the attackers was Telegram, one of the only instant messaging apps permitted in Iran, IBM says.
Despite experiencing operational errors, such as accidentally leaking its training videos in July, the group wielding the malware has continued its operations, the research report notes.
The report notes the ITG18 attackers likely used social engineering tricks to gather information about the victims.
The group relied on a large pool of manpower for calling, chatting and video conferencing as a means to establish contact with its targets, the report adds.
“While [IBM X-Force Threat Intelligence] cannot confirm how many individuals and organizations ITG18 has targeted recently, what has been observed so far in 2021 is identification of over 60 servers hosting more than 100 phishing domains, which suggests there may be a large number of victims,” the report notes. “Through some of the videos that X-Force discovered last summer, an ITG18 operator was observed spending hours in manual work. They were seen validating credentials by copying and pasting stolen victim usernames and passwords into a wide variety of websites, for just two victims.”
Leaked Training Videos
In July 2020, IBM researchers discovered five videos that were accidentally leaked from ITG18 that showed how the hacking group uses stolen credentials from social media and email platforms to demonstrate to recruits how to exfiltrate data from these accounts.
In one video, an attacker was seen engaging in an unsuccessful phishing attempt targeting the email accounts of an Iranian-American philanthropist and two U.S. State Department officials and one account that was associated with the U.S. Virtual Embassy of Iran, according to the report.
The researchers also uncovered three videos in which the ITG18 hackers successfully compromised accounts associated with U.S. and Greek naval officers, IBM states.
Using the compromised emails, the attackers then obtained trivial information, such as details on the account owners’ pizza delivery schedule, student financial aid, municipal utilities, baby products and video games, to create more precise targeting of the victims, the report added.
Links to Charming Kitten
ITG18 appears to be linked to Iranian hacking group Charming Kitten, based on the overlap in their infrastructure, IBM says. Charming Kitten, which is also known as Phosphorus and TA453, has been linked to several cyberespionage campaigns.
Last month, security firm Proofpoint reported that Charming Kitten conducted a series of spear-phishing attacks in an attempt to steal sensitive information from scholars who study the Middle East (see: Iranian APT Gang Phishes Middle East Experts).
The gang waged a phishing campaign in late 2020 that used SMS and email messages to spread malicious links in an attempt to steal email credentials in the U.S., Europe and the Persian Gulf region. The targets were individuals working for think tanks and political research centers, university professors, journalists and environmental activists (see: Iranian APT Group Revived Phishing Activities Over Holidays).