The Iranian APT group IGT18 is in the news again with about 120GB of stolen data. According to researchers from IBM, this group has ties with Charming Kitten, Phosphorus, and TA453. Researchers were able to lay bare several details about the group’s operations, including new malware.

What has been discovered?

In a detailed report, researchers from IBM Security X-Force revealed a trove of information about IGT18’s recent targets.
  • Between August 2020 and May 2021, the APT group comprised several victims associated with the Iranian reformist movement. 
  • Targeted data included photos, contact lists, conversations, and group memberships.
  • The stolen data was sent back to the C2 servers via compromised accounts from secure social media platforms, most recently Telegram. 
  • The group exfiltrated about 120GB of data from around 20 individuals, mostly aligned with Iran’s Reformist movement.

Attack vectors and additional insights

According to sources, researchers were able to gain access to an open file directory used by the gang. This enabled them to find several resources, including new malware, exfiltrated data from victims, and training videos.
  • They used new malware named LittleLooter, a backdoor targeting Android devices. It could steal location data, browser history, call history, SMS messages, and can record audio and video.
  • Attackers are also believed to have employed social engineering tricks via personalized calls, chats, and video conferences.
  • Researchers were able to track around 60 servers hosting over 100 phishing domains.

Moreover, the discovery of training videos indicates that the APT group is serious about imparting skills to other members, and possibly, recruiting new members.

The bottom line

During its attack, ITG18 has been observed using several tasks that require intensive manual efforts, such as personalized calls, chants, and video conferencing to lure its victims. Experts are confident that the group will continue working toward its aim even after public reporting of its activities due to its wide range of targets and objectives.

Cyware Publisher

Publisher

Cyware