1/51
September 18, 2020
Rampant Kitten – An Iranian Espionage Campaign
research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
September 18, 2020
Introduction
Check Point Research unraveled an ongoing surveillance operation by Iranian entities that
has been targeting Iranian expats and dissidents for years. While some individual sightings
of this attack were previously reported by other researchers and journalists, our investigation
allowed us to connect the different campaigns and attribute them to the same attackers.
Among the different attack vectors we found were:
Four variants of Windows infostealers intended to steal the victim’s personal
documents as well as access to their Telegram Desktop and KeePass account
information
Android backdoor that extracts two-factor authentication codes from SMS messages,
records the phone’s voice surroundings and more
Telegram phishing pages, distributed using fake Telegram service accounts
The above tools and methods appear to be mainly used against Iranian minorities,
anti-regime organizations and resistance movements such as:
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
2/51
Association of Families of Camp Ashraf and Liberty Residents (AFALR)
Azerbaijan National Resistance Organization
Balochistan people
Table of Contents
Technical Appendix
Initial Infection
We first encountered a document with the name ای_شورشیوحشت_رژيم_از_گسترش_کانو.docx ,
which roughly translates to The Regime Fears the Spread of the Revolutionary
Cannons.docx . The title of the document was in fact referring to the ongoing struggle
between the Iranian regime and the Revolutionary Cannons, a Mujahedin-e Khalq
movement.
Mujahedin-e Khalq, or The People’s Mujahedin of Iran, is an anti-regime organization whose
aim is to free Iran from its current leadership. In 1986, Mujahedin-e Khalq (MEK) started
building their new headquarters, which later became known as Camp Ashraf, near the Iraqi
town of Khalis. However, years of political tension in Iraq eventually led to the transfer of the
camp’s residents to a new, remote, and unlikely destination: Albania.
The above document leverages the external template technique, allowing it to load a
document template from a remote server, which in this case was afalr-
sharepoint[.]com .
Figure 1: Remote template
Curious by this website, we set out to discover more about it. At first, we found a handful of
tweets from accounts opposing the Iranian regime mentioning a very similar SharePoint site,
which the website in the document was likely impersonating:
3/51
Figure 2: Tweets mentioning similar website
Figure 3: AFALR’s official website
Infection Chain
After the victim opens the document and the remote template is downloaded, the malicious
macro code in the template executes a batch script which tries to download and execute the
next stage payload from afalr-sharepoint[.]com :
4/51
Figure 4: Infection chain
The payload then checks if Telegram is installed on the infected machine, and if so it
proceeds to extract three additional executables from its resources:
BOBC3953C59DA7870 – Loader, executed by RunDLL , injects the main payload into
explorer.exe
CO9D5A739B85C37C1 – Infostealer payload
Updater.exe – Modified Telegram updater
Payload Analysis
The main features of the malware include:
Information Stealer
Uploads relevant Telegram files from victim’s computer. These files allow the
attackers to make full usage of the victim’s Telegram account
Steals information from KeePass application
Uploads any file it could find which ends with pre-defined extensions
Logs clipboard data and takes desktop screenshots
Module Downloader
Downloads and installs several additional modules.
Unique Persistence
Implements a persistence mechanism based on Telegram’s internal update
procedure
5/51
Telegram structure basics
First, let us review how Telegram Desktop organizes its files. The following is an ordinary
Telegram file structure which can normally be found at %APPDATA%\Roaming\Telegram
Desktop .
Figure 5: Telegram Desktop directory structure
As explained above, several files are dropped to the Telegram working directory during the
infection chain. The dropped files are in a directory named 03A4B68E98C17164s , which
looks like a file at first glance because of a custom Desktop.ini file, but it is actually a
directory.
Figure 6: Infected Telegram Desktop directory
Configuration
One of payload’s resources contains encoded configuration data.
The encoding scheme uses the regular Base64 algorithm but with a custom index table:
eBaEFGHOQRS789TUYZdCfPbDIJ+/KLMNwxyzquv0op123VWXghijmnkl45rst6Ac .
Decoding that resource gives us the following configuration:
6/51
Key Value
AES
encryption
key
[email protected]@5!!
File suffixes .txt;.csv;.kdbx;.xls;.xlsx;.ppt;.pptx;
SOAP
username
9BEF4B32-0D40-4A92-9E35-6094B8AA8B58
SOAP
password
D5F69342-A3CC-438F-B3B6-5E7BF6B6E327
Main C&C hxxps://www.afalr-sharepoint[.]com/B6D9E741-DFE3-4470-9174-
C95FB2B958AD/TelBService.asmx
Backup C&C hxxps://www.afalr-onedrive[.]com/B6D9E741-DFE3-4470-9174-
C95FB2B958AD/TelBService.asmx
C&C Communication
The malware uses SOAP for its communication purposes. SOAP is a simple XML-based
data structure for web-service communication. The API in SOAP web-services is public and
can be observed by accessing the website from a browser:
https://research.checkpoint.com/cdn-cgi/l/email-protection
7/51
Figure 7: SOAP API in C&C website
The messages (commands) can be divided into the following categories:
Authentication:
HelloWorld – Authentication message
Module Downloader:
DownloadFileSize – Checks whether a module should be downloaded
DownloadFile – Downloads a module from the remote server
Data Exfiltration:
UploadFileExist – Checks whether a specific victim file has been uploaded
UploadFile – Uploads a specific victim file
Authentication
The first message for a valid communication tunnel should be HelloWorld , which
implements a simple Username/Password authentication. The credentials are hard-coded in
the sample, and the SOAP response for that message contains a session ID which must be
used for the remainder of the session.
Module Downloader
The program tries fetching updates for its current modules and also download several
additional modules.
Some of the additional missing modules that could not be fetched:
D07C9D5A79B85C331.dll
EO333A57C7C97CDF1
EO3A7C3397CDF57C1
Data Exfiltration
The core functionality of the malware is to steal as much information as it can from the target
device. The payload targets two main applications: Telegram Desktop and KeePass, the
famous password manager.
Once the relevant Telegram Desktop and KeePass files have been uploaded, the malware
enumerates any relevant file it can find on the victim’s computer which has one of the
following extensions: .txt;.csv;.kdbx;.xls;.xlsx;.ppt;.pptx; . For each such file,
the malware then uploads it after encoding the file to base64.
Persistence
The malware uses a unique persistence method which is tied to the Telegram update
procedure.
8/51
Periodically, it copies the Telegram main executable into Telegram Desktop\tupdates ,
which triggers an update procedure for the Telegram application once it starts. The hidden
trick of the malware’s persistence method is changing the default Telegram updater file –
Telegram Desktop\Updater.exe , with one of its dropped payloads (more specifically –
CO79B3A985C5C7D30 ). The most notable changed feature of that updater is running the
payload again:
Figure 8: Telegram updater runs the main payload
Infrastructure and Connections
After analyzing the payload we were able to find multiple variants that date back to 2014,
indicating that this attack has been in the making for years.
Malware variants developed by the same attackers often have minor differences between
them, especially if they are used around the same time frame. In this case however, we
noticed that while some of the variants were used simultaneously, they were written in
different programming languages, utilized multiple communication protocols and were not
always stealing the same kind of information.
In the table below, we list the variants we identified and highlight their unique characteristics.
Please refer to the Technical Appendix below, for a deep dive information regarding each
variant.
Name Artifacts Dates Malicious
Activity
Properties
TelB
Variant
KeePassOnlineCreator.exe
BOBC3953C59DA7870
CO9D5A739B85C37C1
CO79B3A985C5C7D30
D07C9D5A79B85C331.dll
EO333A57C7C97CDF1
EO3A7C3397CDF57C1
June
2020 –
July 2020
Telegram-
focused
infostealer
SOAP.
Delphi 64bit
payload.
Persistence
through
Telegram
updater.
9/51
TelAndExt
Variant
TelegramUpdater.exe
TelegramUpdater2.exe
TelegramUpdater3.exe
TelegramUpdater.dll Updater.exe
May 2019
–
February
2020
Telegram-
focused
infostealer
FTP .
Delphi 32bit
payload.
Persistence
through
Telegram
updater.
Python
Info
Stealer
keyboard-EN.exe
speaker-audio.exe
audio-driver.exe
February
2018 –
January
2020
Focused on
– Telegram,
Chrome,
Firefox,
Edge,
Paltalk NG
Data
Exfiltration
via FTP
FTP.
Python
(Pyinstaller)
HookInjEx
Variant
DrvUpdt.exe / ehtmlh.exe
DrvUpdtd.dll / dhtmlh.dll
CapDev.exe / rregg.exe
uflScan.exe
December
2014 –
May 2020
Infostealer
(Browsers,
audio,
keylogging
and
clipboard)
FTP. C++
The related samples also revealed more C&C servers, and looking up their passive DNS
information and additional metadata led us to similar domains that were operated by the
same attackers. As it turns out, some of the domains appeared in malicious Android
applications and phishing pages, exposing more layers of this operation:
Figure 9: Maltego graph of the malicious infrastructure
10/51
Android Backdoor
During our investigation we also uncovered a malicious Android application tied to the same
threat actors. The application masquerades as a service to help Persian speakers in Sweden
get their driver’s license.
We have located two different variants of the same application, one which appears to be
compiled for testing purposes, and the other is the release version, to be deployed on a
target’s device.
Figure 10: Android application’s main interface
This Android backdoor contains the following features:
Steal existing SMS messages
Forward two-factor authentication SMS messages to a phone number provided by the
attacker-controlled C&C server
Retrieve personal information like contacts and accounts details
Initiate a voice recording of the phone’s surroundings
11/51
Perform Google account phishing
Retrieve device information such as installed applications and running processes
For a deep dive information regarding this application, please refer to the Technical Appendix
below.
Telegram Phishing
The backdoors were not the only way in which the attackers tried to steal information about
Telegram accounts. Some of the websites that were related to this malicious activity also
hosted phishing pages impersonating Telegram:
Figure 11: Telegram phishing page
12/51
What was surprising is that several Iranian Telegram channels have actually sent out
warnings against those phishing websites, and claimed that the Iranian regime is behind
them.
Figure 12: Translated message warning against phishing attempts
According to the channels, the phishing messages were sent by a Telegram bot. The
messages warned their recipient that they were making an improper use of Telegram’s
services, and that their account will be blocked if they do not enter the phishing link.
Figure 13: Phishing message content
13/51
Another Telegram channel provided screenshots of the phishing attempt showing that the
attackers set up an account impersonating the official Telegram one. At first, the attackers
sent a message about the features in a new Telegram update to appear legitimate. The
phishing message was sent only five days later, and pointed to
https://telegramreport[.]me/active (same domain as in figure 11 above).
Figure 14: Phishing message sent from fake Telegram account
Payload Delivery
Although in some cases we were unable to determine how the malicious files reached the
victims, we gathered some potential clues about the ways the attackers distributed their
malware. For example, accessing mailgoogle[.]info shows that it impersonates
ozvdarozv[.]com and promotes a software to increase the number of members in
Telegram channels.
14/51
Figure 15: mailgoogle[.]info download page
But after clicking on “Download”, a password-protected archive called Ozvdarozv-
Windows.rar is downloaded, containing one of the malware variants.
Possible Additional Delivery Vectors
A removed blog entry from 2018 accused a cyber-security expert of plagiarism when he was
interviewed by AlArabiya news channel to discuss Iranian cyber-attacks.
We believe this page was created as part of a targeted attack against this person or his
associates.
The blog included a link to download a password-protected archive containing evidence of
the plagiarism from endupload[.]com .
endupload[.]com is connected to both the PC and the Android operations mentioned
above via several passive DNS hops, including a direct connection via historic DNS server
information to the domain mailgoogle[.]info we described above. Not only did we not
find any instance of it being used in a legitimate context, we also found evidence of the
domain being registered by a Persian speaking hacker. (See “attribution” section below)
15/51
Figure 16: Removed blog post with link to endupload[.]com
A different blog entry from 2012 discusses a human rights violations report by HRANA, a
news agency affiliated with the Iranian Association of Human Rights Activists. Once again,
this blog refers to a document that can be downloaded from endupload[.]com :
16/51
Figure 17: Blog post with link to endupload[.]com
Unfortunately, we were unable to get our hands on the files both blog entries were referring
to, and could not confirm that they were indeed malicious. However, it appears that
endupload[.]com has been controlled by the attackers for years, as some of the malicious
samples related to this attack and dating back to 2014 communicated with this website.
Attribution
Although we found many files and websites that were used over the years in this attack, they
were not attributed to a specific threat group or entity. Nevertheless, some of the fingerprints
that the threat actors left in the malicious artifacts allowed us to gain a better understanding
of where the attack might be coming from.
Attack Origin
To begin with, the WHOIS information of some of the malicious websites revealed that they
were supposedly registered by Iranian individuals:
17/51
Figure 18: WHOIS information of endupload[.]com and picfile[.]net
The WHOIS records for endupload[.]com also mentioned an e-mail address,
[email protected][.]com . Apparently, the website’s registrant was very active online,
because looking up the username “nobody.gu3st” led us to many posts in Iranian hacking
forums:
Figure 19: Translated post by nobody.gu3st
Political Targeting
The list of targets we observed reflects some of the internal struggles in Iran and the motives
behind this attack. The handpicked targets included supporters of Mujahedin-e Khalq and the
Azerbaijan National Resistance Organization, two prominent resistance movements that
advocate the liberation of Iranian people and minorities within Iran.
https://research.checkpoint.com/cdn-cgi/l/email-protection
18/51
Figure 20: Mujahedin-e Khalq and Azerbaijan National Resistance Organization logos
The conflict of ideologies between those movements and the Iranian authorities makes them
a natural target for such an attack, as they align with the political targeting of the regime.
In addition, the backdoor’s functionality and the emphasis on stealing sensitive documents
and accessing KeePass and Telegram accounts shows that the attackers were interested in
collecting intelligence about those victims, and learning more about their activities.
Conclusion
Following the tracks of this attack revealed a large-scale operation that has largely managed
to remain under the radar for at least six years. According to the evidence we gathered, the
threat actors, who appear to be operating from Iran, take advantage of multiple attack
vectors to spy on their victims, attacking victims’ personal computers and mobile devices.
Since most of the targets we identified are Iranians, it appears that similarly to other attacks
attributed to the Islamic Republic, this might be yet another case in which Iranian threat
actors are collecting intelligence on potential opponents to the regiment.
SandBlast Mobile provides real-time threat intelligence and visibility into mobile threats,
protecting from malware, phishing, Man-in-the-Middle attacks, OS exploits, and more.
Check Point’s anti-phishing solutions include products that address all of the attack vectors
from which phishing attacks come – email, mobile, endpoint and network.
Technical Appendix
PC Backdoor Variants Analysis
https://research.checkpoint.com/2018/domestic-kitten-an-iranian-surveillance-operation/
https://www.checkpoint.com/products/mobile-security/
https://www.checkpoint.com/solutions/anti-phishing/
19/51
TelB Variant
“TelB” is the latest variant we encountered, and its analysis shown above. We named it as
such because of the next debug string:
D:\Aslan\Delphi\TelB\BMainWork\SynCryptoEN.pas .
TelAndExt Variant
This variant is probably the older version of “TelB”, and has been active mostly during 2019
and 2020. It shares the following properties and techniques with the newer versions:
Developed in Delphi
Shares a great amount of code with the “TelB” variant
Focuses on the Telegram Desktop application
Similar persistence and update methods
Uses FTP instead of SOAP for data exfiltration
We named this variant “TelAndExt” because of the next debug string:
D:\Aslan\Delphi\TelAndExt\TelegramUpdater\SynCryptoEN.pas
Python Info-stealer Variant Analysis
We discovered several samples which use the following methods:
Two-layer SFX (self-extracted archive) which extract several .bat/.vbs/.nfs/.conf files.
Persistence method by copying the executable (ends with .nfs ) to
%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\audio-
driver.exe
Executable name is speaker-audio.exe or keyboard-EN.exe , depending on the
sample.
The executable was created with Pyinstaller.
Downloads a second-stage payload under the name of net-update.exe
Before being uploaded, the data is encrypted using library pyAesCrypt with a hard-
coded password.
Info stealing
According to our analysis, the script communicates with an FTP server using hard-coded
credentials, and steals the following data:
Telegram Desktop application related files.
Paltalk NG application related files.
Chrome, Firefox and Edge related data.
Any file which ends with extensions listed in a given configuration. If no configuration is
given, it searches for files with the following extensions:
.txt;.docx;.doc;.exe;.jpg;.html;.zip;.pdf
20/51
Operation
During our investigation, we saw several Python info-stealers that communicate with the
same FTP server, but store the stolen information in different pages under different aliases.
We suspect this is how the malware authors operate:
Choose a target, and create a designated folder in the FTP server for them.
Build a sample customized for the target, with a unique AES key and FTP credentials
for information uploading.
Deliver the weaponized executable via one of the infection chain vectors.
Second-stage Payload – HookInjEx
One of its core functionalities is fetching a second-stage payload. If the designated FTP
folder contains a file named net-update.exe , then it downloads and executes it.
We analyzed few of those net-update.exe samples and found a complete overlap with
the “HookInjEx” variant below, making it a targeted advanced payload.
HookInjEx Variant
This variant has been in use since 2014, and has 32-bit and 64-bit versions. Over time, the
variant evolved and added some features while also changed the names of the different
components in its infection chain.
Infection Chain
We found two main types of infection chains:
1. SFX (self-extracting archive) which contains all the components. It drops all of them
into a folder and then executes the main loader – DrvUpdt.exe ( ehtmlh.exe in
older versions).
2. Fake SCR file that is functioning as an executable. In order to look like a legitimate
SCR file, the loader contains a decoy – a JPEG/PPTX/DOC file as a resource
( Resource_1 ), which is loaded upon running.
The SCR file also drops other payloads as its resources, and runs the main loader with the
command line:
cmd.exe /C choice /C Y /N /D Y /T 3 &
"%APPDATA%\\Microsoft\\Windows\\Device\\DrvUpdt.exe" -pSDF32fsj8979_)$
21/51
Figure 21: Malicious SCR opens decoy JPG resource
Hooking and Injection
The main loader uses the hooking and injection method called “HookInjEx”. That method
maps a DLL into explorer.exe , where it subclasses the Start button. In our case, the
loaded DLL is DrvUpdtd.dll ( dhtmlh.dll in older versions).
In newer versions, the malware also hooks the Start button in other languages as well.
The existence of different languages probably shows that it has victims from countries all
around the world. The different translations are:
22/51
Start - English
başlat - Turkish
開始 - Chinese
Sākt - Latvian
Arabic - ابدأ
Iniciar - Spanish
Käynnistä - Finish
Hebrew - התחל
スタート - Japanese
Štart - Slovakian
Pradėti - Lithuanian
Pokreni - Bosnian
เริ่ม - Thai
Έναρξη - Greece
Démarrer - French
Старт - Bulgarian
Запустити - Ukrainian
시작 - Korean
Configuration
The malware receives its configuration from a file named Devinf.asd (in older versions it
was named file2.asd ). The configuration is decrypted and written into a new file named
Drvcnf.asd (in older version it named file3.asd ). The encryption method is:
23/51
def decode(content):
dec_array = [0, 1, 2, 3, 4, 5, 6, 7, 8, 0xe, 0xf, 0x10, 0x11, 0x12, 0x13, 0x14,
0x15, 0x16, 0x17, 0x18, 0x19, 0x1a,0x1b, 0x1c, 0x1d, 0x1e, 0x21, 0x22, 0x23, 0x24,
0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32,
0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39,0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40,
0x41, 0x42, 0x43, 0x44]
output_str = ''
known_values = [9, 10, 13, 32]
for j in range(len(content)):
int_cur_content = ord(content[j])
cur_byte = 0
for i in range(62):
if int_cur_content == dec_array[i]:
if i < 26:
cur_byte = i + 0x61
elif 26 <= i < 52:
cur_byte = i + 0x27
elif 52 <= i < 62:
cur_byte = i - 0x4
output_str += (chr(cur_byte))
break
if cur_byte == 0:
if int_cur_content in known_values:
cur_byte = int_cur_content
elif int_cur_content - 0x61 <= 0xe:
cur_byte = int_cur_content - 0x40
elif int_cur_content - 0x70 <= 0x6:
cur_byte = int_cur_content - 0x36
elif int_cur_content - 0x77 <= 0x5:
cur_byte = int_cur_content - 0x1c
elif int_cur_content - 0x53 <= 0x3:
cur_byte = int_cur_content + 0x28
output_str += (chr(cur_byte))
return output_str
After the configuration is decrypted, the malware parses the values and puts them in global
variables.
24/51
- Registry key for persistence
- pre value for info files to send
- extensions for info files to send
- log path direcory
- minimum size for file to send
- FTP domain
- FTP User value
- FTP Password value
- version
- Downloads updates URL
- Downloads updates URL
- Directory in ftp connection.
- timer_1
- timer_2
- timer_3
- Downloads updates URL
- value for encryption method to files
- value for encryption method to files
- Fake name
- Value to choose name template for info files to send.
- flag for exeucting again from different place.
- WHOIS first URL
- WHOIS second URL
- WHOIS third URL
- value to download using computer-name and username
- Opera gather data flag
- Firefox gather data flag
- Chrome gather data flag
- WHOIS flag
- tracert flag
- number of tries
- clipboard data flag of CF_HDROP (CLB-f.jpg)
- clipboard data flag of text, unicode, oemtext and locale (clb-
t.jpg)
- clipboard data flag of bitmap and dib (clb-p.jpg)
Persistence
The malware sets the registry key which is in the value of the configuration file
(which is almost always the key RunOnce) to the following values – it sets the name to
SunJavaHtml or DevNicJava and the value is DrvUpdt.exe 11 . That way the malware
knows it was already executed.
In older versions, the malware used to drop a file named either rreegg.exe or
Capdev.exe , which was added to RunOnce, and in turn executed DrvUpdt.exe 11
Info stealing
25/51
Main feature of the malware is stealing information from the victim’s computer and send it to
the C2 using FTP.
The malware steals different types of data:
Opera/Chrome/Firefox login data.
Firefox information: profiles, keys and db files.
The output of tracert www.google.com
WHOIS information (based on the value).
Screenshots and title of the foreground window.
Waveform-audio recording for a minute.
Files from removable drivers. The types of files are based on the tags in the
file Devufl1.tmp ( winufl1.tmp in older versions). In some versions, that logic was
implemented in a file named uflscan.exe .
Interestingly, if driver’s name is one of the following: A65RT52WE3F , 09353536557 or
transcend20276 , the malware ends the thread. We believe it to be a debug code
(Fig. X) that stayed and its purpose is to prevent the malware from gathering files from
the author’s computers.
Files from other drives based on the tags in the file Devufl2.tmp
( winufl2.tmp in older versions ).
Keylogging and clipboard data from various formats – drag and drop/ CF_HDROP ,
CF_TEXT , CF_TEXT , CF_UNICODETEXT , virtual key codes, CF_OEMTEXT ,
CF_LOCALE , CF_BITMAP and CF_DIB .
Capture using webcam ( tcwin.exe in older versions).
Since 2018 – Telegram Desktop data.
Figure 22: Debug code with hardcoded removable drivers
C2 communication
26/51
This variant uploads files to its C2 domain using the FTP protocol. The FTP domain is placed
in the configuration file inside the tag.
The connection starts with authentication using the password and username from the
configuration file.
The malware then creates a directory according to the tag and a subdirectory inside
it with the user id it generated before. The user id is generated from the network adapter’s
info that was written into the file Mcdata.dat ( PAdata.dat In older versions).
After that, the connection continues with TYPE I and PASV commands before storing the
files with the STOR command.
The variant also contacts other domains to update its different components. The domains are
placed in the configuration file inside , and tags. The files are
downloaded using URLDownloadToFileW from the given URLs, the user_id is included in
the URLs.
String Obfuscation
In newer versions (since 2018), the strings are encrypted with the following script:
buf_1 = 'qweyuip[];lkjhgdszcm,.>