Open Source Research Company Claims Iranian Government Targets Iranian Citizens with Malwareware
Open source research company Check Point Research claims that what it called Iranian government entities target Iranian citizens with malware in a campaign that began in 2016.
Check Points investigation revealed fake apps loaded with malware, which appeared to be targeted at Kurdish and Turkish people and ISIS supporters. Check Point provided two examples. First example is an ISIS themed app, which allows users to set ISIS themed wallpaper. Second example was a copy of ANF News agency website, ANF is a popular Kurdish news source.
When user downloads these apps it would collect information on the victims device including:
- SMS/MMS messages
- Phone records
- Contacts
- Browser history
- External storage
- Application list
- Clipboard content
- Geo-location and camera photos
- Surrounding voice recordings
The data is then exfiltrated to C&C servers using HTTP POST requests. The victim recieves a unique device UUID which appears at the beginning of each log that is sent back to the attacker, and the filename of each log is on the same pattern: UUID_LogDate_LogTime.log. When a log is created for a victim, some basic informaiton is then collected and documented before logging of phone call details.
One of the apps also contacted firmwaresystemupdate[.]com a newly registered website that was initially seen to resovle to an Iranian IP address but was latewr switched toa Russian IP. hte remaining apps cntacted hardcoded IL addresses, which had been base64 encoded and XORed in the app surce code, in an attempt to hide them. The IPs resovled to a series of newly registereddomains, which followed similar naming conventions:
- Stevenwentz[.]com
- Ronaldlubbers[.]com
- Georgethompson[.]space
Check Point claimed from analysis of log data that although theme of the apps was Kurdish or ISIS 97% of the targets were Iranian nationals. They inferred that the Iranian government was probably behind the attacks because of Iranian government’s interest to these groups and becuase Iranian IP was used in the attack infrastrucutre.
Of course Iranians are always careful when they are online because always government is active in censorship and control but this makes us remember that especially online things migh not be what they seem and the Iranian government is happy to use things that are exactly against it to try to catch people who protest or oppose it.