:

Malware Made for Iranians: New Malware 'Corrupt Kitten' Used to Spy on Iranians

:

In this time when so many enemies are waging soft war against innocent Iranians using many excuses, Iranians expect the government of the Islamic Republic to protect them against this. An investigation by Iranian Cyber News Agency in collaboration with a source, has reached this shocking conclusion that instead of protecting citizens, the Iranian government or military is actively using advanced malware to spy on and attack them.

Iran Cyber News Agency investigation has discovered more evidence of attacks involving malware against Iranian citizens. Most importantly, it appears the Iranian government could be itself responisble for these attacks against its own people. ICNA's source, a member of a prominent hackticist group who did not want his name written, was able to access a server hosting the control panel of the malware. This informed source said the malware has 'advanced capability, it is widespread and very intrusive'. When it has been installed on a victims device it can access their contacts, files and photos, browser history, SMS messages and recorded audio and location. However the capabilities of the malware was not limited to just stealing data but also gave the attacker the ability to take control of their victim's device as well. 

Stolen Photo of a Bank Transfer

Stolen Photo of a Bank Transfer

ICNA was given samples to prove these claims and ICNA reached this conclusion that the sophisitication of the malware means only the government or military could have created it. At the same time the log files collected prove that it was operated from inside Iran. 

The targets of the attacks appear to be Iranian, which we can see by this photo found in the data of a passport of an individual who was born in Iran. 

Stolen photo of passport of a person born in Iran

Stolen photo of passport of a person born in Iran

This is the latest in a series of Iranian Android malware exposures, including those previously reported on by ICNA. The source has named this campaign Corrupt Kitten following the style set by other malware researchers like those reported on previoulsy.

The attackers are able to access device and software info, and list all the apps the victim has installed on their phone. They can upload browser history, giving them ability to see all of the websites that the victim visits and look at their habits and interests. They have the ability to live stream any activity on the phone to the attacker. They are also able to list stored contacts - giving them contact details for the victim's friends and family and business associates.

The malware lets the attacker access a list of recieved, missed and outgoing calls for the victim's device. They can even record calls made or received on the victim's communications. SMS content included messages about hospital appointments and treatments, good or bad relationship with family members, travel dates and locations informing attackers when the victim would be away from home, discussion of political meetings, applications for visa and allegiance to various groups.

Most interestingly and possibly of more concern to those victim to the attack is that the attackers could also send an SMS message from the victim's phone. This could give the attacker ability to impersonate the victim and send malicious messages in his name, or tricking someone else to doing something if they beleive the message came from the actual owner of the device. They could even attach private images from the victim's device photos and send them to contacts. This could easily be used to blackmail the victim or destroy their reputation

Iranian telephone numbers with recorded calls

Iranian telephone numbers with recorded calls

Also files are fully accesible and attackers can upload a file from a victim's device to their servers and gain complete access to the content. This gives them ability to access images and audio that are sent through apps such as Whatsapp, Telegram, Viber and Facebook. Although these apps encrypt messages in transit, they are stuill accessible for the attacker as they are not encrypted when they are saved on the device. It is also worrying that, they can download files onto the victim's device and delete files - which could be used to plant fake imcriminating evidence or delete important user data.

Telegram screenshot stolen from victims

Telegram screenshot stolen from victims

WhatsApp screenshot stolen from victims

WhatsApp screenshot stolen from victims

The attackers can use the malware to inform them of the connectivity state - whether it is connected to the internet by GSM or wifi. These information help them to decide when they can transfer large files off the device. The attackers can also see the device locaton by the cell tower it is connected to or by much more accurate readings of GPS coordinates. With montioring this location information the attacker can monitor the victims travel movements and predict regular journeys, tracking where an individual is at every moment. they can also toggle bluetooth, mobile data and wifi off and on so they have the ability to interupt the victims by cutting them off from the internet at a sensitive time.

Most intrusively the attackers can determine whether the screen is currently on or off, so they know when the victim is not actively using the deivce. At this time, they can spy on what the victim is doing in the physical world by tasking a pictre using device camera or sending the command to activate the microphone to record sound. They can alos do this with the camera to record video of the device's surroundings. 

The level of technical capaility is so advanced that only a government or military can be responisble. On this basis, it is likely that the number of victims seen are only a small number of the total and it is unknown just how many other Iranian or any other victims there are. This level of attack could easily mean a victims entire life being taken over or destroyed. It represents one of the biggest violations of the privacy of Iranian citizens than seen before and it may be the start of even worse crimes. 

With the permission of our source ICNA will release the technical details of this malware in the next week.

Article rating:

vote(s).

0 Comments

Write a Comment

:
Hosein)root Discovers XSS Vulnerability on Google Earth

On 25 November Hosein)root who asked ICNA publish his true name as Amir Hossein Sharbati on CX...


0 Comments | Read more +
:
35/000 Characters Tweet Shocks German Hackers!

Thinking that a person could send a tweet with more than 280 characters is more or less like a...


0 Comments | Read more +
:
4TT4CK3R Identifies Flaw in University of Tehran Website

Vulnerability researcher 4TT4CK3R discovered on 23 August a cross-ste scripting vulnerability ...


0 Comments | Read more +
: 4tt4ck3r Find Vuln In United Kingdom Government
4tt4ck3r Finds Flaw in UK Government Websites

Iranian hacker 4tt4ck3r has previously found Reflected XSS -Cross Site Script...


0 Comments | Read more +
: TYRANT Ransomware
Iranian TYRANT Ransomware

A new type of ransomware have been discovered on October 16 2017 which appear...


0 Comments | Read more +
: IoT Security Research Expertise
Iranian Expertise in IoT Security Research

Iranian academic security researchers at the ITRC (Information Technology Research Cen...


0 Comments | Read more +
: Mohammad Rezania -LinX64-
Android Security and Forensic Science by LinX64

A good article by Iranian academic is important step forward for people to understand security...


0 Comments | Read more +
: http://offsec.ir/writeups
OFFSEC Team Ice CTF Results

Offsec Research CTF Team: "Thinking out of t...


0 Comments | Read more +
:
Defacement of Hafez Institute of Higher Education by UnSec Team

ICNA was contacted yesterday, 19 October, by UnSec Team member Mostafa Asadi concerning the ha...


0 Comments | Read more +
:
Manoto Defaced by Cluwix

We can see in the picture that website of Manoto TV show "Stage" was hacked by Black Hat Hacke...


0 Comments | Read more +
: Eagle Security Team
Eagle Security Team Deface Shahrood University of Technology

MR 7KH4T of Iranian hacking group Eagle Security Team is mak...


0 Comments | Read more +
: MR.IMAN
Iranian Black Hat Hackers Mass Deface Iran Sites

Hackers of the team Iranian Black Hat Hackers has make deface of many Iranian...


0 Comments | Read more +
: Iranian Cyber News Agency
New Website

Welcome to Iranian Cyber News Agency website.

New sections now include Vulnerability N...


0 Comments | Read more +
خبرگزاری سایبر ایران

در ب...


0 Comments | Read more +
:
SMS Virus Developed by Iranian Hacker Claims 100/000 Victims in Iran

In recent weeks a story that has attracted attention of many people has been the development a...


0 Comments | Read more +
: Atash Security Group
Atash Security Group Attack Irancell

The hacker and administrator Omid Killer of the Iranian hacker group ...


0 Comments | Read more +
: Eagle Security Team
Eagle Security Team Hack Saudi Sites

Latest Iranian cyber news from the Eagle Security Team shows that hackers hav...


0 Comments | Read more +
: Lord Hacking Team
Lord Hacking Team Attack Google Telegram & Acunetix

Iranian hackers of Lord Hacking Team is claim attack against:

  • ...

0 Comments | Read more +
قربانیان ایرانی عملیات جاسوسی حکومت

وبسایت تِرد استون 71 (Treadstone 71) چند هفته پیش طی گزارشی یک سری فغالیت های جاسوسی...


0 Comments | Read more +
: Corrupt Kitten Logo
CORRUPT KITTEN Exposed

Iran Cyber News Agency was previously able to reveal the discovery of new malware targetin...


0 Comments | Read more +
:
Malware Made for Iranians: New Malware 'Corrupt Kitten' Used to Spy on Iranians

In this time when so many enemies are waging soft war against innocent Iranians using many exc...


0 Comments | Read more +
: Mohammad Mehdi Shah Mansouri
Iranian Hackers Accused of Attacking US

The US has continued its campaign against Iran hacker and cyber activists by indicting two mor...


0 Comments | Read more +
:
IEDB Holds Gatherings Nationwide

In recent weeks and months users and friends of the hardworking IEDB team which has very activ...


0 Comments | Read more +
: Eagle Security Team
Eagle Team

The Iranian Eagle Security Team security researchers is make exposed many SQL...


0 Comments | Read more +
: Kheshtak Security Team
Kheshtak Security Team - Story Continues

More than ever in the 21st century, knowledge is power and information is the force that contr...


0 Comments | Read more +
:
Termint Security Team Have New Website

Although they have history going back a few momnths the Termint Security Team...


0 Comments | Read more +