Rampant Kitten – An Iranian Espionage Campaign

Introduction

Check Point Research unraveled an ongoing surveillance operation by Iranian entities that has been targeting Iranian expats and dissidents for years. While some individual sightings of this attack were previously reported by other researchers and journalists, our investigation allowed us to connect the different campaigns and attribute them to the same attackers.

Among the different attack vectors we found were:

• Four variants of Windows infostealers intended to steal the victim’s personal documents as well as access to their Telegram Desktop and KeePass account information
• Android backdoor that extracts two-factor authentication codes from SMS messages, records the phone’s voice surroundings and more
• Telegram phishing pages, distributed using fake Telegram service accounts

The above tools and methods appear to be mainly used against Iranian minorities, anti-regime organizations and resistance movements such as:

• Association of Families of Camp Ashraf and Liberty Residents (AFALR)
• Azerbaijan National Resistance Organization
• Balochistan people

Table of Contents

• Initial Infection
• Infection Chain
• Payload Analysis
  • Telegram Structure Basics
  • Configuration
  • C&C Communication
  • Persistence
• Infrastructure and Connections
• Android Backdoor
• Telegram Phishing
• Payload Delivery
  • Possible Additional Delivery Vectors
• Attribution
  • Attack Origin
  • Political Targeting
• Conclusion
  
  

Technical Appendix

• PC Backdoor Variants Analysis
  • TelB Variant
  • TelAndExt Variant
  • Python Info-stealer Variant
  • HookInjEx  Variant
• Android Backdoor Analysis
• Indicators of Compromise

Initial Infection

We first encountered a document with the name وحشت_رژیم_از_گسترش_کانونهای_شورشی.docx, which roughly translates to The Regime Fears the Spread of the Revolutionary Cannons.docx. The title of the document was in fact referring to the ongoing struggle between the Iranian regime and the Revolutionary Cannons, a Mujahedin-e Khalq movement.

Mujahedin-e Khalq, or The People’s Mujahedin of Iran, is an anti-regime organization whose aim is to free Iran from its current leadership. In 1986, Mujahedin-e Khalq (MEK) started building their new headquarters, which later became known as Camp Ashraf, near the Iraqi town of Khalis. However, years of political tension in Iraq eventually led to the transfer of the camp’s residents to a new, remote, and unlikely destination: Albania.

The above document leverages the external template technique, allowing it to load a document template from a remote server, which in this case was afalr-sharepoint[.]com.

Figure 1: Remote template

Curious by this website, we set out to discover more about it. At first, we found a handful of tweets from accounts opposing the Iranian regime mentioning a very similar SharePoint site, which the website in the document was likely impersonating:

Figure 2: Tweets mentioning similar website

Figure 3: AFALR’s official website

Infection Chain

After the victim opens the document and the remote template is downloaded, the malicious macro code in the template executes a batch script which tries to download and execute the next stage payload from afalr-sharepoint[.]com:

Figure 4: Infection chain

The payload then checks if Telegram is installed on the infected machine, and if so it proceeds to extract three additional executables from its resources:

• BOBC3953C59DA7870 – Loader, executed by RunDLL, injects the main payload into explorer.exe
• CO9D5A739B85C37C1 – Infostealer payload
• Updater.exe – Modified Telegram updater

Payload Analysis

The main features of the malware include:

• Information Stealer
  • Uploads relevant Telegram files from victim’s computer. These files allow the attackers to make full usage of the victim’s Telegram account
  • Steals information from KeePass application
  • Uploads any file it could find which ends with pre-defined extensions
  • Logs clipboard data and takes desktop screenshots

• Module Downloader
  • Downloads and installs several additional modules.

• Unique Persistence
  • Implements a persistence mechanism based on Telegram’s internal update procedure

Telegram structure basics

First, let us review how Telegram Desktop  organizes its files. The following is an ordinary Telegram file structure which can normally be found at%APPDATA%\Roaming\Telegram Desktop.

Figure 5: Telegram Desktop directory structure

As explained above, several files are dropped to the Telegram working directory during the infection chain. The dropped files are in a directory named 03A4B68E98C17164s, which looks like a file at first glance because of a custom Desktop.ini file, but it is actually a directory.

Figure 6: Infected Telegram Desktop directory

Configuration

One of payload’s resources contains encoded configuration data.

The encoding scheme uses the regular Base64 algorithm but with a custom index table: eBaEFGHOQRS789TUYZdCfPbDIJ+/KLMNwxyzquv0op123VWXghijmnkl45rst6Ac.

Decoding that resource gives us the following configuration:

C&C Communication

The malware uses SOAP for its communication purposes. SOAP is a simple XML-based data structure for web-service communication. The API in SOAP web-services is public and can be observed by accessing the website from a browser:

Figure 7: SOAP API in C&C website

The messages (commands) can be divided into the following categories:

• Authentication:
  • HelloWorld – Authentication message
• Module Downloader:
  • DownloadFileSize – Checks whether a module should be downloaded
  • DownloadFile – Downloads a module from the remote server
• Data Exfiltration:
  • UploadFileExist – Checks whether a specific victim file has been uploaded
  • UploadFile – Uploads a specific victim file

Authentication

The first message for a valid communication tunnel should be HelloWorld, which implements a simple Username/Password authentication. The credentials are hard-coded in the sample, and the SOAP response for that message contains a session ID which must be used for the remainder of the session.

Module Downloader

The program tries fetching updates for its current modules and also download several additional modules.

Some of the additional missing modules that could not be fetched:

• D07C9D5A79B85C331.dll
• EO333A57C7C97CDF1
• EO3A7C3397CDF57C1

Data Exfiltration

The core functionality of the malware is to steal as much information as it can from the target device. The payload targets two main applications: Telegram Desktop and KeePass, the famous password manager.

Once the relevant Telegram Desktop and KeePass files have been uploaded, the malware enumerates any relevant file it can find on the victim’s computer which has one of the following extensions: .txt;.csv;.kdbx;.xls;.xlsx;.ppt;.pptx;. For each such file, the malware then uploads it after encoding the file to base64.

Persistence

The malware uses a unique persistence method which is tied to the Telegram update procedure.

Periodically, it copies the Telegram main executable into Telegram Desktop\tupdates, which triggers an update procedure for the Telegram application once it starts. The hidden trick of the malware’s persistence method is changing the default Telegram updater file – Telegram Desktop\Updater.exe, with one of its dropped payloads (more specifically – CO79B3A985C5C7D30). The most notable changed feature of that updater is running the payload again:

Figure 8: Telegram updater runs the main payload

Infrastructure and Connections

After analyzing the payload we were able to find multiple variants that date back to 2014, indicating that this attack has been in the making for years.

Malware variants developed by the same attackers often have minor differences between them, especially if they are used around the same time frame. In this case however, we noticed that while some of the variants were used simultaneously, they were written in different programming languages, utilized multiple communication protocols and were not always stealing the same kind of information.

In the table below, we list the variants we identified and highlight their unique characteristics. Please refer to the Technical Appendix below, for a deep dive information regarding each variant.

The related samples also revealed more C&C servers, and looking up their passive DNS information and additional metadata led us to similar domains that were operated by the same attackers. As it turns out, some of the domains appeared in malicious Android applications and phishing pages, exposing more layers of this operation:

Figure 9: Maltego graph of the malicious infrastructure

Android Backdoor

During our investigation we also uncovered a malicious Android application tied to the same threat actors. The application masquerades as a service to help Persian speakers in Sweden get their driver’s license.

We have located two different variants of the same application, one which appears to be compiled for testing purposes, and the other is the release version, to be deployed on a target’s device.

Figure 10: Android application’s main interface

This Android backdoor contains the following features:

• Steal existing SMS messages
• Forward two-factor authentication SMS messages to a phone number provided by the attacker-controlled C&C server
• Retrieve personal information like contacts and accounts details
• Initiate a voice recording of the phone’s surroundings
• Perform Google account phishing
• Retrieve device information such as installed applications and running processes

For a deep dive information regarding this application, please refer to the Technical Appendix below.

 Telegram Phishing

The backdoors were not the only way in which the attackers tried to steal information about Telegram accounts. Some of the websites that were related to this malicious activity also hosted phishing pages impersonating Telegram:

Figure 11: Telegram phishing page

What was surprising is that several Iranian Telegram channels have actually sent out warnings against those phishing websites, and claimed that the Iranian regime is behind them.

Figure 12: Translated message warning against phishing attempts

According to the channels, the phishing messages were sent by a Telegram bot. The messages warned their recipient that they were making an improper use of Telegram’s services, and that their account will be blocked if they do not enter the phishing link.

Figure 13: Phishing message content

Another Telegram channel provided screenshots of the phishing attempt showing that the attackers set up an account impersonating the official Telegram one. At first, the attackers sent a message about the features in a new Telegram update to appear legitimate. The phishing message was sent only five days later, and pointed to http://telegramreport[.]me/active (same domain as in figure 11 above).

Figure 14: Phishing message sent from fake Telegram account

Payload Delivery

Although in some cases we were unable to determine how the malicious files reached the victims, we gathered some potential clues about the ways the attackers distributed their malware. For example, accessing mailgoogle[.]info shows that it impersonates ozvdarozv[.]com and promotes a software to increase the number of members in Telegram channels.

Figure 15: mailgoogle[.]info download page

But after clicking on “Download”, a password-protected archive called Ozvdarozv-Windows.rar is downloaded, containing one of the malware variants.

Possible Additional Delivery Vectors

A removed blog entry from 2018 accused a cyber-security expert of plagiarism when he was interviewed by AlArabiya news channel to discuss Iranian cyber-attacks.

We believe this page was created as part of a targeted attack against this person or his associates.

The blog included a link to download a password-protected archive containing evidence of the plagiarism from endupload[.]com.

endupload[.]com is connected to both the PC and the Android operations mentioned above via several passive DNS hops, including a direct connection via historic DNS server information to the domain mailgoogle[.]info we described above. Not only did we not find any instance of it being used in a legitimate context, we also found evidence of the domain being registered by a Persian speaking hacker. (See “attribution” section below)

Figure 16: Removed blog post with link to endupload[.]com

A different blog entry from 2012 discusses a human rights violations report by HRANA, a news agency affiliated with the Iranian Association of Human Rights Activists. Once again, this blog refers to a document that can be downloaded from endupload[.]com:

Figure 17: Blog post with link to endupload[.]com

Unfortunately, we were unable to get our hands on the files both blog entries were referring to, and could not confirm that they were indeed malicious. However, it appears that endupload[.]com has been controlled by the attackers for years, as some of the malicious samples related to this attack and dating back to 2014 communicated with this website.

Attribution

Although we found many files and websites that were used over the years in this attack, they were not attributed to a specific threat group or entity. Nevertheless, some of the fingerprints that the threat actors left in the malicious artifacts allowed us to gain a better understanding of where the attack might be coming from.

Attack Origin

To begin with, the WHOIS information of some of the malicious websites revealed that they were supposedly registered by Iranian individuals:

Figure 18: WHOIS information of endupload[.]com and picfile[.]net

The WHOIS records for endupload[.]com also mentioned an e-mail address, nobody.gu3st@gmail[.]com. Apparently, the website’s registrant was very active online, because looking up the username “nobody.gu3st” led us to many posts in Iranian hacking forums:

Figure 19: Translated post by nobody.gu3st

Political Targeting

The list of targets we observed reflects some of the internal struggles in Iran and the motives behind this attack. The handpicked targets included supporters of Mujahedin-e Khalq and the Azerbaijan National Resistance Organization, two prominent resistance movements that advocate the liberation of Iranian people and minorities within Iran.

Figure 20: Mujahedin-e Khalq and Azerbaijan National Resistance Organization logos

The conflict of ideologies between those movements and the Iranian authorities makes them a natural target for such an attack, as they align with the political targeting of the regime.

In addition, the backdoor’s functionality and the emphasis on stealing sensitive documents and accessing KeePass and Telegram accounts shows that the attackers were interested in collecting intelligence about those victims, and learning more about their activities.

Conclusion

Following the tracks of this attack revealed a large-scale operation that has largely managed to remain under the radar for at least six years. According to the evidence we gathered, the threat actors, who appear to be operating from Iran, take advantage of multiple attack vectors to spy on their victims, attacking victims’ personal computers and mobile devices.

Since most of the targets we identified are Iranians, it appears that similarly to other attacks attributed to the Islamic Republic, this might be yet another case in which Iranian threat actors are collecting intelligence on potential opponents to the regiment.

SandBlast Mobile provides real-time threat intelligence and visibility into mobile threats, protecting from malware, phishing, Man-in-the-Middle attacks, OS exploits, and more.

Check Point’s anti-phishing solutions include products that address all of the attack vectors from which phishing attacks come – email, mobile, endpoint and network. 

Technical Appendix

PC Backdoor Variants Analysis

TelB Variant

“TelB” is the latest variant we encountered, and its analysis shown above. We named it as such because of the next debug string: D:\Aslan\Delphi\TelB\BMainWork\SynCryptoEN.pas.

TelAndExt Variant

This variant is probably the older version of “TelB”, and has been active mostly during 2019 and 2020. It shares the following properties and techniques with the newer versions:

• Developed in Delphi
• Shares a great amount of code with the “TelB” variant
• Focuses on the Telegram Desktop application
• Similar persistence and update methods
• Uses FTP instead of SOAP for data exfiltration

We named this variant “TelAndExt” because of the next debug string: D:\Aslan\Delphi\TelAndExt\TelegramUpdater\SynCryptoEN.pas

Python Info-stealer Variant Analysis

We discovered several samples which use the following methods:

• Two-layer SFX (self-extracted archive) which extract several .bat/.vbs/.nfs/.conf files.
• Persistence method by copying the executable (ends with .nfs) to
  %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\audio-driver.exe
• Executable name is speaker-audio.exe or keyboard-EN.exe, depending on the sample.
• The executable was created with Pyinstaller.
• Downloads a second-stage payload under the name of net-update.exe
• Before being uploaded, the data is encrypted using library pyAesCrypt with a hard-coded password.

Info stealing

According to our analysis, the script communicates with an FTP server using hard-coded credentials, and steals the following data:

• Telegram Desktop application related files.
• Paltalk NG application related files.
• Chrome, Firefox and Edge related data.
• Any file which ends with extensions listed in a given configuration. If no configuration is given, it searches for files with the following extensions: .txt;.docx;.doc;.exe;.jpg;.html;.zip;.pdf

Operation

During our investigation, we saw several Python info-stealers that communicate with the same FTP server, but store the stolen information in different pages under different aliases.

We suspect this is how the malware authors operate:

• Choose a target, and create a designated folder in the FTP server for them.
• Build a sample customized for the target, with a unique AES key and FTP credentials for information uploading.
• Deliver the weaponized executable via one of the infection chain vectors.

Second-stage Payload – HookInjEx

One of its core functionalities is fetching a second-stage payload. If the designated FTP folder contains a file named net-update.exe, then it downloads and executes it.

We analyzed few of those net-update.exe samples and found a complete overlap with the “HookInjEx” variant below, making it a targeted advanced payload.  

HookInjEx Variant

This variant has been in use since 2014, and has 32-bit and 64-bit versions. Over time, the variant evolved and added some features while also changed the names of the different components in its infection chain.

Infection Chain

We found two main types of infection chains:

1. SFX (self-extracting archive) which contains all the components. It drops all of them into a folder and then executes the main loader – DrvUpdt.exe (ehtmlh.exe in older versions).
2. Fake SCR file that is functioning as an executable. In order to look like a legitimate SCR file, the loader contains a decoy – a JPEG/PPTX/DOC file as a resource (Resource_1), which is loaded upon running.

The SCR file also drops other payloads as its resources, and runs the main loader with the command line:

cmd.exe /C choice /C Y /N /D Y /T 3 & "%APPDATA%\\Microsoft\\Windows\\Device\\DrvUpdt.exe" -pSDF32fsj8979_)$

Figure 21: Malicious SCR opens decoy JPG resource

Hooking and Injection

The main loader uses the hooking and injection method called “HookInjEx”. That method maps a DLL into explorer.exe, where it subclasses the Start button. In our case, the loaded DLL is DrvUpdtd.dll (dhtmlh.dll in older versions).

In newer versions, the malware also hooks the Start button in other languages as well. The existence of different languages probably shows that it has victims from countries all around the world. The different translations are:

Start - English
başlat - Turkish
開始 - Chinese
Sākt - Latvian
ابدأ - Arabic
Iniciar - Spanish
Käynnistä - Finish
התחל - Hebrew
スタート - Japanese
Štart - Slovakian
Pradėti - Lithuanian
Pokreni - Bosnian
เริ่ม - Thai
Έναρξη - Greece
Démarrer - French
Старт - Bulgarian
Запустити - Ukrainian
시작 - Korean

Configuration

The malware receives its configuration from a file named Devinf.asd (in older versions it was named file2.asd). The configuration is decrypted and written into a new file named Drvcnf.asd (in older version it named file3.asd). The encryption method is:

def decode(content):

    dec_array = [0, 1, 2, 3, 4, 5, 6, 7, 8, 0xe, 0xf, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a,0x1b, 0x1c, 0x1d, 0x1e, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39,0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x41, 0x42, 0x43, 0x44]
    output_str = ''
    known_values = [9, 10, 13, 32]
    for j in range(len(content)):
        int_cur_content = ord(content[j])
        cur_byte = 0
        for i in range(62):
            if int_cur_content == dec_array[i]:
                if i < 26:
                    cur_byte = i + 0x61
                elif 26 <= i < 52:
                    cur_byte = i + 0x27
                elif 52 <= i < 62:
                    cur_byte = i - 0x4
                output_str += (chr(cur_byte))
                break
        if cur_byte == 0:
            if int_cur_content in known_values:
                cur_byte = int_cur_content
            elif int_cur_content - 0x61 <= 0xe:
                cur_byte = int_cur_content - 0x40
            elif int_cur_content - 0x70 <= 0x6:
                cur_byte = int_cur_content - 0x36
            elif int_cur_content - 0x77 <= 0x5:
                cur_byte = int_cur_content - 0x1c
            elif int_cur_content - 0x53 <= 0x3:
                cur_byte = int_cur_content + 0x28
            output_str += (chr(cur_byte))
    return output_str

After the configuration is decrypted, the malware parses the values and puts them in global variables.

<Reg></Reg> - Registry key for persistence
<Pre></Pre> - pre value for info files to send
<Pas></Pas> - extensions for info files to send
<Path_Log></Path_Log> - log path direcory
<L_s></L_s> - minimum size for file to send
<S_n></S_n> - FTP domain
<F_k></F_k> - FTP User value
<F_R></F_R> - FTP Password value
<Ver></Ver> - version
<U_u2></U_u2> - Downloads updates URL
<U_u1></U_u1> -  Downloads updates URL
<F_f></F_f> - Directory in ftp connection.
<U_t></U_t> - timer_1
<S_t></S_t> - timer_2
<S_q></S_q> - timer_3
<U_u3></U_u3> - Downloads updates URL
<El></El> - value for encryption method to files
<Ez></Ez> - value for encryption method to files
<F_n></F_n> - Fake name
<E_dt></E_dt>
<E_dy></E_dy>
<Snd_P></Snd_P> - Value to choose name template for info files to send.
<Mlt></Mlt> - flag for exeucting again from different place.
<Ws1></Ws1> - WHOIS first URL
<Ws2></Ws2> - WHOIS second URL
<Ws3></Ws3> - WHOIS third URL
<S_li></S_li>
<RTL></RTL>
<SHttpR></SHttpR> - value to download using computer-name and username
<OPP></OPP> - Opera gather data flag
<FIP></FIP> - Firefox gather data flag
<CHP></CHP> - Chrome gather data flag
<WHP></WHP> - WHOIS flag
<TRP></TRP> - tracert flag
<FRC></FRC> - number of tries
<Clipfp></Clipfp> - clipboard data flag of CF_HDROP (CLB-f.jpg)
<Cliptp></Cliptp> - clipboard data flag of text, unicode, oemtext and locale (clb-t.jpg)
<Clipip></Clipip> - clipboard data flag of bitmap and dib (clb-p.jpg)

Persistence

The malware sets the registry key which is in the <Reg> value of the configuration file (which is almost always the key RunOnce) to the following values – it sets the name to SunJavaHtml or DevNicJava and the value is DrvUpdt.exe 11. That way the malware knows it was already executed.

In older versions, the malware used to drop a file named either rreegg.exe or Capdev.exe, which was added to RunOnce, and in turn executed DrvUpdt.exe 11

Info stealing

Main feature of the malware is stealing information from the victim’s computer and send it to the C2 using FTP.

The malware steals different types of data:

• Opera/Chrome/Firefox login data.
• Firefox information: profiles, keys and db files.
• The output of tracert www.google.com
• WHOIS information (based on the <Ws1> value).
• Screenshots and title of the foreground window.
• Waveform-audio recording for a minute.
• Files from removable drivers. The types of files are based on the <cpy> tags in the file Devufl1.tmp (winufl1.tmp in older versions). In some versions, that logic was implemented in a file named uflscan.exe.
  Interestingly, if driver’s name is one of the following: A65RT52WE3F, 09353536557 or transcend20276, the malware ends the thread. We believe it to be a debug code (Fig. X) that stayed and its purpose is to prevent the malware from gathering files from the author’s computers.
• Files from other drives based on the <cpy> tags in the file Devufl2.tmp (winufl2.tmp in older versions ).
• Keylogging and clipboard data from various formats – drag and drop/ CF_HDROP, CF_TEXT,  CF_TEXT, CF_UNICODETEXT,  virtual key codes, CF_OEMTEXT, CF_LOCALE, CF_BITMAP and CF_DIB.
• Capture using webcam (tcwin.exe in older versions).
• Since 2018 – Telegram Desktop data.

Figure 22: Debug code with hardcoded removable drivers

C2 communication

This variant uploads files to its C2 domain using the FTP protocol. The FTP domain is placed in the configuration file inside the <S_n> tag.

The connection starts with authentication using the password and username from the configuration file.

The malware then creates a directory according to the <F_f> tag and a subdirectory inside it with the user id it generated before. The user id is generated from the network adapter’s info that was written into the file Mcdata.dat (PAdata.dat In older versions).

After that, the connection continues with TYPE I and PASV commands before storing the files with the STOR command.

The variant also contacts other domains to update its different components. The domains are placed in the configuration file inside <U_U1>, <U_U2> and <U_U3> tags. The files are downloaded using URLDownloadToFileW from the given URLs, the user_id is included in the URLs.

String Obfuscation

In newer versions (since 2018), the strings are encrypted with the following script:

buf_1 = 'qweyuip[];lkjhgdszcm,.><MNBVCXZ|ASDFGHJK:}{POIUYTREWQ123456789-=+_)(*&^%$#@!'
buf_2 = '!#$%&()*+,-.123456789:;<=>@ABCDEFGHIJKMNOPQRSTUVWXYZ[]^_cdeghijklmpqsuwyz{|}'
input_str = "" # The encrypted string
output_str = ''

for i in range(len(input_str)):
      cur_byte = input_str[i]
      place = buf_2.find(cur_byte)
      if place == -1:
            output_str += cur_byte
            continue
      new_byte = buf_1[place]
      output_str += new_byte
print(output_str)

Android Backdoor Analysis

The first activity is MainActivity, which is responsible for presenting the user with the decoy content and requesting permissions to perform privileged activity. It also starts a background service called MainService, and launches the second MainActivityFake (GmailActivity) when the server sends a command to do so.

Figure 23: User is requested to allow a set of permissions

Data Collection

Once the GmailActivity launches the MainService, it in turn is responsible for the following tasks: Timer registration, configuration monitoring, showing fake notification (described below) and sensitive data collection.

During this initial data collection process, the following information is read and prepared:

• Installed applications list
• Accounts information
• SMS messages
• Contacts information

The rest of the information is collected on demand, once a command is received from a C&C server:

• Voice recording – A 30 seconds recording by default.
• Google credentials – The server triggers an authentication phishing attempt.

Google Credentials Theft

Upon receiving the proper command from the C&C server, a Google login page will be displayed to the victim, by activating the MainActivityFake (GmailActivity).

Figure 24: Google login page

At this point the user is presented with a legitimate accounts.google.com login page, inside Android’s WebView. In order to steal the typed-in credentials, Android’s JavascriptInterface is used, alongside a timer which periodically retrieves the information from the username and password input fields.

Figure 25: Periodic retrieval of Google account credentials

“Google protect is enabled”

As we previously mentioned, one of its core functionalities is to turn on the microphone and record the surroundings. In order to achieve this goal in a real-time manner, the application needs to have its service running in the background.

Any Android application that wants to perform such action, is required to post an ongoing notification to the user, which will alert the user of the uninitiated activity on the device. In order to circumvent this issue, the malware developers chose to display the user with a fake notification of “Google protect is enabled“.

Figure 26: Applications displays a fake notification

The result is an always-on decoy notification masquerading as “Google protect”.

Figure 27: Fake Google Protect notification

C&C Communication

The malware uses regular HTTP to communicate with the C&C servers. It sends the initial request to alarabiye[.]net, and proceeds to communicate with gradleservice[.]info in order to get configuration, commands and status updates.

In order to upload all the sensitive information, the malware uses FTPS with hard-coded credentials.

Figure 28: FTPS connection routine

In addition, the sensitive files are encrypted using the AES algorithm, with a pre-configured passphrase before being uploaded to the FTP server,

Figure 29: AES encryption routine

Two Factor Exfiltration by SMS

One of the unique functionalities in this malicious application is forwarding any SMS starting with the prefix G- (The prefix of Google two-factor authentication codes), to a phone number that it receives from the C&C server.

Furthermore, all incoming SMS messages from Telegram, and other social network apps, are also automatically sent to the attackers phone number.

Work in Progress

During our analysis, it was often obvious that this malicious application was still being actively developed, with various assets and functions which were either leftovers of previous operations, or not yet utilized.

One of the unused phishing assets even contains a pre-entered username, possibly a target in a previous operation conducted by the attackers.

Figure 30: Unused phishing HTML assets

Figure 31: Unused location tracking code

Indicators of Compromise

Phishing

telegramreport[.]me 

telegramco[.]org

telegrambots[.]me

mailgoogle.info

Android

C&C servers

gradleservice[.]info

alarabiye[.]net

Files

PC variants

TelB Variant

C&C servers

afalr-sharepoint[.]com

afalr-onedrive[.]com

Backdoor

Artifacts

TelAndExt Variant

C&C servers

exemplifiable-taps.000webhostapp[.]com

telegramup[.]com

148.251.97[.]102

Backdoors

Artifacts

Python Variant

C&C servers

tbackup.000webhostapp[.]com

vareangold[.]de

telegrambackups[.]com

telegramdesktop[.]com

picfile[.]net

Backdoors

Artifacts

HookInjEx Variant

C&C servers

tbackup.000webhostapp[.]com

developerchrome[.]com

firefox-addons[.]com

picfile[.]net

cpuconfig[.]com

update-help[.]com

winchecking[.]com

endupload[.]com

176.31.4[.]14

148.251.224[.]29

144.76.177[.]244

137.74.153[.]98

Backdoor

Artifacts