Iran-Linked Hackers Expand Arsenal With New Android Backdoor

The Iran-linked hacking group named Charming Kitten has added a new Android backdoor to its arsenal and successfully compromised individuals associated with the Iranian reformist movement, according to security researchers with IBM’s X-Force threat intelligence team.

Also tracked as Phosphorus, TA435, and ITG18, Charming Kitten has been active since at least 2011, targeting government organizations, journalists, activists, and various other entities, including the World Health Organization (WHO), and presidential campaigns.

Last year, the group accidentally exposed approximately 40 GB of videos and other content associated with its operations, including training videos on how to exfiltrate data from online accounts, and clips detailing the successful compromise of certain targets.

Between August 2020 and May 2021, it conducted successful attacks against targets aligned with the Iranian reformist movement, but also continued to make various operational security errors, IBM reveals.

Dubbed LittleLooter, the recently discovered Android backdoor appears to be exclusive to Charming Kitten, providing the threat actor with extensive information-stealing capabilities, including video and live screen recording, number calling, file upload/download, voice call recording, GPS data gathering, device information harvesting, browser history harvesting, connectivity manipulation, contact information stealing, picture snapping, and retrieving SMS and call list details.

The observed activity, IBM says, aligns with the group’s “long-standing operations against Iranian citizens of interest.” As part of the activity, the hackers “exfiltrated roughly 120 gigabytes of information from approximately 20 individuals aligned with the Reformist movement in Iran,” using legitimate utilities associated with the hacked accounts.

IBM says it did not observe how the group compromised the targeted accounts, but believes that LittleLooter or phishing/social engineering might have been employed to harvest account credentials from their targets. The stolen information includes photos, contact lists, conversations, and group memberships.

“The information X-Force has gleaned on ITG18’s activity, in conjunction with the training videos X-Force found in the summer of 2020, continues to paint a picture of a threat actor that likely leverages a considerable number of personnel. This is underpinned by how manual and labor-intensive ITG18 operations appear to be, from gaining initial access to individual victim accounts to carefully reviewing exfiltrated data,” IBM notes.

The security researchers point out that the group often goes beyond just sending phishing messages to its victims, attempting to chat, call, and even video conference with the victims, which suggests hands-on work from numerous operators.

This year, IBM discovered more than 60 servers employed by the group to host over 100 phishing domains, suggesting a large number of victims. What the researchers couldn’t estimate, however, is how many operators the group has.

“X-Force alone has observed almost 2 terabytes of compressed exfiltrated data on publicly accessible ITG18 servers since 2018. This likely represents only a small portion of the data actually stolen by this adversary,” IBM notes.

Related: Iranian Hackers Impersonate British Scholars in Recent Campaign

Related: Iranian Hackers Target Medical Personnel in US, Israel

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:
Tags: