A large-scale Iranian espionage operation has largely managed to remain undetected for at least six years. Recently, security firm Check Point has managed to uncover the hacking group’s attack methods and hacking tools.

Under the hood

According to Check Point, the Iranian state-backed APT group Rampant Kitten has carried out several surveillance operations on its victims.
  • The group has been targeting dissidents and members of the global Iranian diaspora, anti-regime organizations, Iranian minorities, and resistance movements.
  • The group used a wide extent of malware families, including four variants of Windows info stealers (TelB Variant, TelAndExt Variant, Python Info-stealer Variant, and HookInjEx Variant) and a potent Android backdoor disguised inside malicious apps.
  • With these tools, the hackers intended to steal the victims’ personal documents, as well as access to their Telegram Desktop and KeePass account information via phishing pages. 
  • The use of the Android backdoor enabled the hackers to steal 2FA codes from SMS messages, record the phone’s voice surroundings, and others.

Recent threats targeting 2FA

Several state-sponsored threat actors are now capable of bypassing 2FA using their malicious tools. In recent attacks, few other hackers were seen bypassing the 2FA mechanism easily.
  • In August, several vulnerabilities in the Fizikal platform, an Israel-based gym app management platform, left thousands of users’ accounts exposed to a 2FA-bypass attack.
  • In May, the AnarchyGrabber trojan enabled threat actors to disable 2FA on the victim's system to distribute the trojan on Discord.

The bottom line

Many users and organizations use 2FA to boost the safety of their accounts. Attacks or tricks to bypass the 2FA mechanism can provide a special capability for the hackers. Thus, organizations are recommended to deploy additional layers of security for protecting their sensitive data.

Cyware Publisher