Check Point security investigators have unraveled a six-year uninterrupted surveillance operation, led by Iranian-based risk actors who oppose regime dissidents.
Since 2014, attackers have used several attack vectors to spy on their victims, adding Telegram accounts of hack victims, extracting two-factor authentication codes from SMS messages, recording a phone’s audio environment, accessing KeePass password manager account information, and distributing malicious information. Fake accounts of Telegram phishing pages.
Those affected appear to have been hand-selected by anti-regime organizations and resistance movements such as Mujahedin-e Khalq, azerbaijan’s National Resistance Organization, which advocates the release of other Iranian individuals and minorities in Iran, and citizens of Balochistan.
The attackers used documents containing malware to trick those suffering from it into infecting their devices. The main feature of malware is to borrow as much data as you can imagine from the target device. The payload aims at two main applications: Telegram Desktop and KeePass, the well-known password store. Administrator The main features of the malware include:
During their research, Check Point researchers also discovered a malicious Android app connected to the same risky actors. The app aims to be a service to help Swedish Persians get their driver’s licenses. This Android backdoor has the following features:
Some of the Internet sites connected to malicious activity also hosted phishing pages that pretended to be Telegram. Surprisingly, several Iranian Telegram channels issued warnings against phishing sites, claiming that the Iranian regime was them. According to the channels, phishing messages were sent via a Telegram robot.
Some of the people connected to malicious activities have also hosted phishing pages that pretend to be Telegram.
The messages warned the recipient that they were mis using Telegram and that their account would be blocked if they did not enter the phishing link. Another Telegram channel provided screenshots of the phishing attempt that appeared that the attackers had created an account posing as the official Telegram account. First, the attackers sent a message about the features of a new Telegram update to make it look legitimate. The phishing message was not sent until five days later and pointed to a malicious domain.
An access to the deleted 2018 blog accused a plagiarism cybersecurity expert when he was interviewed through AlArabiya News to talk about Iranian cyberattacks. Researchers this page was created as a component of an attack targeted against this user or his associates.
The blog included a link to download a password-protected file containing evidence of plagiarismArray ‘endupload’. Com’. Turns out “endupload [. ] Com” has been controlled by attackers for years, as some of the malicious samples connected to the 2014 attack have contacted this website.
Lotem Finkelsteen, Director of Threat Intelligence at Check Point, said: “After completing our investigation, several things were highlighted. First, the focus is on instant messaging surveillance. Although Telegram is not decryptable, it is obviously deviable. Instant messaging monitoring, especially on Telegram, is something everyone is careful about and aware of. “
“Second, phishing attacks on mobile devices, PCs and the Internet were all connected to the same operation. These operations are controlled according to national intelligence and interests, as well as technological challenges. We will continue to monitor other geographies around the world to better teach the public about cybersecurity. “