September 7, 2018
Chinese strategist Sun Tzu, Italian political philosopher Machiavelli and English philosopher Thomas Hobbes all justified deceit in war as a legitimate form of warfare. Preceding them all, however, were some in the Middle East who had already internalized and implemented this strategy to great effect, and continue to do so today.
Recent investigations by Check Point researchers reveal an extensive and targeted attack that has been taking place since 2016 and, until now, has remained under the radar due to the artful deception of its attackers towards their targets. Through the use of mobile applications, those behind the attack use fake decoy content to entice their victims to download such applications, which are in fact loaded with spyware, to then collect sensitive information about them. Interestingly, these targets include Kurdish and Turkish natives and ISIS supporters. Most interesting of all, though, is that all these targets are actually Iranians citizens.
What Information is Collected?
Considering the nature of the target, the data collected about these groups provides those behind the campaign with highly valuable information that will no doubt be leveraged in further future action against them. Indeed, the malware collects data including contact lists stored on the victim’s mobile device, phone call records, SMS messages, browser history and bookmarks, geo-location of the victim, photos, surrounding voice recordings and more.
Who is Behind the Attack?
While the exact identity of the actor behind the attack remains unconfirmed, current observations of those targeted, the nature of the apps and the attack infrastructure involved leads us to believe this operation is of Iranian origin. In fact, according to our discussions with intelligence experts familiar with the political discourse in this part of the world, Iranian government entities, such as the Islamic Revolutionary Guard Corps (IRGC), Ministry of Intelligence, Ministry of Interior and others, frequently conduct extensive surveillance of these groups.
Indeed, these surveillance programs are used against individuals and groups that could pose a threat to stability of the Iranian regime. These could include internal dissidents and opposition forces, as well as ISIS advocates and the Kurdish minority settled mainly in Western Iran.
While our investigation is still in progress, the research below reveals the full extent of these targeted attacks, its infrastructure and victims and the possible political story behind it. In the meantime, we have dubbed this operation ‘Domestic Kitten’ in line with the naming of other Iranian APT attacks.
Data Collection via Mobile Applications
Victims are first lured into downloading applications which is believed to be of interest to them. The applications our researchers discovered included an ISIS branded wallpaper changer, “updates” from the ANF Kurdistan news agency and a fake version of the messaging app, Vidogram.
Regarding the ISIS-themed application, its main functionality is setting wallpapers of ISIS pictures, and therefore seems to be targeting the terror organization’s advocates. Curiously, its Arabic name is grammatically incorrect (“دولة خلافة الاسلامیة”, which should instead be “دولة الخلافة الاسلامیة”).
Figure 1: The application offering Isis-related wallpapers.
Figure 2: ANF News Agency website, on which the decoy app is based.
With regards to the ANF News Agency app, while ANF is a legitimate Kurdish news website its app has been fabricated by the attackers to pose as the legitimate app in order to deceive their targets.
Due to the names and content that is offered by the above mentioned applications then, we are lead to believe that specific political groups and users, mainly ISIS supporters and the Kurdish ethnic group, are targeted by the operation.
However, when most of the victims are actually Iranian citizens, it raises more pertinent questions about who may be behind the attack. Due to the attack infrastructure, reviewed below, and its consistency with previous investigations of state-sponsored Iranian operations covered by Check Point researchers, we were led to believe that Iranian government agencies may well be behind the campaign.
A closer look at each of the applications used in the campaign show them to have the same certificate that was issued in 2016. This certificate is associated with the e-mail address ‘telecom2016@yahoo[.]com’, as seen below.
Figure 3: Attack applications certificate uses the same email address ‘telecom2016@yahoo[.]com’
Unfortunately not much is known about this e-mail address, as it was not used to register any domain names or to launch attacks in the past.
Another unique characteristic of the applications used, though, is that all of the samples analyzed have several classes that are under a misspelled package name, “andriod.browser”.
Figure 4: The malicious applications’ classes.
These classes are seen to be in charge of data exfiltration, collecting sensitive information from the victim’s device. Such information includes:
- SMS/MMS messages
- phone calls records
- Contacts list
- Browser history and bookmarks
- External storage
- Application list
- Clipboard content
- Geo-location and camera photos
Interestingly, they also collect surrounding voice recordings.
Figure 5: Examples of the malicious code.
All of the stolen data is then send back to C&C servers using HTTP POST requests.
Additionally, one of the applications contacts firmwaresystemupdate[.]com, a newly registered website that was seen to resolve to an Iranian IP address at first, but then switched to a Russian address.
Figure 6: One of the decoy applications contact firmwaresystemupdate[.]com
The rest of the applications contact IP addresses directly, which unlike the previous domain, are base64 encoded and XORed:
Figure 7: The C&C decoding.
Although these IP addresses were contacted directly, they are newly registered domains that resolve to each of the IP addresses and they all follow the same pattern of a first name-surname naming convention:
Each victim then receives a unique device UUID (a UUID is the encoded value of device’s android_id), which appears at the beginning of each log that is sent back to the attacker, with the title of each log having the same structure: UUID_LogDate_LogTime.log.
When a log is created for a victim, some basic information is then collected and documented prior to the logging of phone call details. In addition, all the logs use a unique delimiter “~~~” to separate between the fields of the stolen data:
Figure 8: SMS log example.
The different classes then collect relevant data, and add them to such a log that is then zipped. Afterwards, the archive is encrypted using AES, with the device UUID as the encryption key, as seen in the below code:
Figure 9: The application’s encryption method.
This information is collected and sent back to C&C servers when the command is received from the attacker. These commands also follow the same structure as the log, as it uses the same delimiter, and can include things such as “Get File”, “Set Server”, “Get Contacts” and more:
Figure 10: Example of commands sent from the server.
As a result of all the above, this glance into inner working of this attack infrastructure therefore allowed us to form a precise idea about how wide this attack is and the victims targeted.
Having analyzed the full extent of the operation, as well as some extensive information about the attacked devices and the log files collected, we understood that around 240 users have so far fallen victim to this surveillance campaign.
In addition, due to careful documentation of the campaign by its creators showed we were able to learn that over 97% of its victims are Iranian, consistently aligning with our estimation that this campaign is of Iranian origin.
In addition to the Iranian targets discovered, we also found victims from Afghanistan, Iraq and Great Britain. Interestingly, the log documentation includes the name of the malicious application used to intercept the victims’ data, as well as an Application Code Name field.
This field includes a short description of the app, which leads us to believe that this is a field used by the attackers to instantly recognize the application used by the victim. Observed code names includes ‘Daesh4’ (ISIS4), ‘Military News’, ‘Weapon2’, ‘Poetry Kurdish’.
Below is a visualization of the attacked devices and mobile vendors that were documented in the logs:
Figure 11: A breakdown of attacked devices and mobile vendors.
While the number of victims and their characteristics are detailed above, the number of people affected by this operation is actually much higher. This is due to the fact that the full contact list stored in each victim’s mobile device, including full names and at least one of their phone numbers, was also harvested by the attackers.
In addition, due to phone calls, SMS details, as well as the actual SMS messages, also recorded by the attackers, the private information of thousands of totally unrelated users has also been compromised.
Check Point’s Mobile solutions can protect against this type of attack. For enterprises, read more about Check Point’s Sand Blast Mobile, and for consumers Check Point’s Zone Alarm Mobile, to learn how you can protect your device from malicious and invasive mobile malware.
We wish to thank Dr. Raz Zimmt, an expert on Iran at the Institute for National Security Studies (INSS), for his illuminating insights.
Indicators of Compromise