Researchers have uncovered an ongoing surveillance operation orchestrated by an Iranian hacker group aimed at Iranian dissidents and expatriates. The hacker group, dubbed Rampant Kitten, has been active for at least six years and has been engaged in a cyber espionage campaigns against Iranian minorities, anti-regime organizations, and resistance movements.

"According to the evidence, we gathered, the threat actors, who appear to be operating from Iran, take advantage of multiple attack vectors to spy on their victims, attacking victims' personal computers and mobile devices," researchers from Check Point said.

The group’s arsenal includes several variants of Windows infostealers intended to steal the victim’s personal documents as well as access to their Telegram Desktop and KeePass account information, Telegram phishing pages, distributed using fake Telegram service accounts, and Android backdoor that extracts two-factor authentication codes from SMS messages, records the phone’s voice surroundings via the microphone, and show phishing pages.

The Android malware is disguised as an Android application that ostensibly helps Persian speakers in Sweden get their driver’s license. In order to silently turn on the microphone in a real-time manner, the app needs to have its service running in the background, but this implies that a specific notification is displayed to alert the users.

Once the malware receives the proper command from the C&C server, a user is presented with a Google login page. In order to steal the typed-in credentials, Android’s JavascriptInterface is used, alongside with a timer which periodically retrieves the information from the username and password input fields.

According to the researchers, the Android backdoor implements the forwarding of any SMS starting with the prefix G-, which is the prefix of Google two-factor authentication codes, to a phone number that it receives from the C&C server. Furthermore, all incoming SMS messages from Telegram, and other social network apps, are also automatically sent to the attackers’ phone number.

“Following the tracks of this attack revealed a large-scale operation that has largely managed to remain under the radar for at least six years. According to the evidence we gathered, the threat actors, who appear to be operating from Iran, take advantage of multiple attack vectors to spy on their victims, attacking victims’ personal computers and mobile devices”, the researchers said.

“Since most of the targets we identified are Iranians, it appears that similarly to other attacks attributed to the Islamic Republic, this might be yet another case in which Iranian threat actors are collecting intelligence on potential opponents to the regiment.”