Posted on June 19, 2021 at 1:12 PM
A recent report reveals that hackers are now leveraging Psiphon VPN and Telegram app to install Windows Remote Access Trojan (RAT) that can steal important devices from the victim’s devices.
The Psiphon circumvention system uses both obfuscation and secure technologies to allow web users to securely bypass content-filtering systems. The circumvention system is generally used by users to bypass content-filtering systems utilized by governments who are enforcing extralegal censorship. But the recent report from Kaspersky security researchers shows that hackers are now taking advantage of the system.
The threat actors are adjudged to come from the Ferocious Kitten, an Iranian cyber-espionage group that has been operating secretly since 2015.
Malicious code has a keylogging capability
According to Kaspersky researchers, the group deploys several obfuscation methods that plant malware that remains undetected on the targeted devices.
Kaspersky researchers Paul Rascagneres, Mark Lechtik, and Aseel Kayal said that the hackers’ malicious code has a keylogging capability and can take screenshots.
According to the researchers, the two features can be used to monitor the conversations and email messages of the victim.
The findings of the researches were in line with two weaponized documents that could deploy new payloads known as MarkiRat.
The backdoor enables threat actors to have access to targeted data, including downloading and uploading of files, the capture of clipboard content, as well as recording of keystrokes.
The group is developing malware to target Android devices
The threat actors also toiled with the MarkiRat variant that intercepts the execution of apps like Telegram and Chrome. From there, they launch the malware and keep it persistently hidden in the device. This makes it very difficult to detect or remove.
The threat actors’ command-and-control infrastructure is said to be the host of Android application file types like APK and DEX files. Based on this evidence, researchers are also made to believe that the group may be currently developing malware that will target Android users.
Although Ferocious Kitten has largely limited its activities within domestic settings, Kaspersky discovered that cyber-surveillance of the Iranian public is now more intrusive and extensive than previously envisaged.
Threat actors are targeting Psiphon VPN users
The popularity of the Psiphon service in Iran has given hackers to constantly target the VPN service. It also shows that the payloads were designed to launch attacks on Iranian users.
Hackers have used spying tools to stalk Iranian residents for the past 6 years. The spying tools mimic the software the dissidents use to protect their communications, according to Kaspersky.
The security firms in collaboration with other security researchers uncovered the activity only recently. The findings show that the cybersecurity community has limited knowledge when it comes to Tehran-linked hacking activities.
Threat actors may be affiliated with Tehran
Kaspersky researchers did not link the hacking activity to the Iranian government. However, another security firm, FireEye, stated that it suspects that the threat actors have connections with Tehran. Tehran is renowned for its alleged use of its cyber capabilities on its citizens.
The researchers say the findings reflect the surveillance processes the Iranian government has utilized to jail dissidents who protest against the regime.
In September last year, the U.S. Treasury Department sanctioned dozens of Iranians for targeting Iranian journalists and protesters. Some members of the infamous APT39 hacking syndicate were also included in the sanction.
Amnesty International revealed that 304 people were killed by the Iranian security services during the crackdown in 2019.
Malware-infested images sent by the hackers
Kaspersky researchers stated that the threat actors sent malware-infested images and videos to their targets. In the mail, they claimed the images and videos are from prisoners in Iran. However, when the target opens the document, it hijacks users’ Telegram and Google Chrome browsers in a bid to steal data.
The researchers stated that they are not sure how many people have fallen victim to the hacking campaign, but believe many people who are infected are not aware that their device has been infiltrated.