INCIDENT AND IMPACT
On August 20, 2016, the Facebook account of a political activist based in Europe was compromised through an impersonation login page sent by an individual that had claimed to be a past acquaintance.
Once the intruders had access to the Facebook account, they posed as that individual in order to start conversations with his social network, particularly journalists within the Persian-language media community that would be familiar with his work. This is a common tactic that Claudio Guarnieri and Collin Anderson have documented in several incidents, posing as a trusted person with a breached account to attack their personal network. In one conversation, the intruder asked a journalist for their private contact information and sent what they claimed were “important documents” that needed to be reported.
In reality, the link sent to the new target was an impersonation login page for Google Drive – a phishing attempt intended to deceive them into entering their username and password. These pages are often hosted on domains that appear to be connected to Google or Facebook and appear official through jargon (such as “verifyuser-login-account.com”). These pages also may support a secure web connection (HTTPS) in order to appear legitimate and in thwart previous advice on spotting fakes. From other experiences, in the event that the deception is not successful, the attackers will commonly increase the pressure on targets to open the document or turn to threats in order to force cooperation. One compromised, the attacker creates an offline backup of emails to ensure that an archive of their contacts and communications is still available if they are locked out of an account.
While one target had enabled two-factor authentication (2FA) through text message, the attackers were able to handle this through asking for the codes from the user. Iranian groups have long adapted their strategies to confront the use of this security mechanism, and now include an extra step to obtain the two-factor code where it is enabled. The problem, in this case, is that the codes sent via text message are valid for longer periods of time. This longer lifespan provides the attacker enough time to ask the user for the real code that is sent from Google and then enters it themselves. This is addressed further in Recommendations.
Importantly, the attackers have also sent Android application files (APKs) to recent targets. This incident represents a growing trend in the use of Android malware in targeting activists and journalists over recent months. In other encounters, the Android malware posed as the messaging applications such as IMO. Claudio Guarnieri and Collin Anderson have witnessed cases where these clients were sent claiming to be secure chat software. International Campaign for Human Rights in Iran has also indicated that attackers have posed as an “old friend” on other messaging services and encouraged them to install the malware client to continue the conversation. In other cases, the found picture of the target strangely embedded in the icon of malware.
No matter the social engineering strategy, the Android applications sent to targets were remote access tools (RATs) that would provide full access to a victim’s phone for an attacker in Iran. On installation, these applications would appear as “private chat” or “com_google_sevices” (sic), and quietly record the device’s activities in the background. This software requests all permissions on the phone, and then persistently collects and monitors text messages, emails, photos, microphone, location and other private information. The use of Android malware is effective because of the popularity of the platform, and mobile devices overall, in Iran. Sanctions and other restrictions have also led to more Iranian users installing applications from non-official sources, decreasing the security of their devices.
In the incidents in question, the Android malware used was the “DroidJack” agent, a RAT frequently found in other criminal activities. The fake IMO client is the Meterpreter agent developed for the open source platform Metasploit and it was used in malicious documents. This is also not the first time that Iranian actors have been observed using mobile malware, and Citizen Lab has documented the use of the same DroidJack RAT against Syrian dissidents by unknown actors believed to be based in Iran. A full description of the capabilities of the Android malware is not in scope for this notice, as Citizen Lab and Symantec have extensively described the agent in question.
Claudio Guarnieri and Collin Anderson have find indication of another Android RAT named KrakenAgent, which is a full-featured malware. While the tactics found in the KrakenAgent malware attempts have been directed against activists, it’s targeting appears to be global in scope. The task list of the malware describes an ambition to fully control the phone and monitor all aspects of the use of their device.
“Call Number”, “Capture Audio”, “Capture Picture”, “Capture Video”, “Delete Contact”, “Delete File”, “Delete Recent Call Log”, “Delete SMS”, “Disable Agent”, “Get Application List”, “Get Bluetooth List”, “Get Browser History”, “Get Chrome Credential Store”, “Get Contact List”, “Get Current Cell Info”, “Get Default Browser Credential Store”, “Get Device Info”, “Get Directory Listing”, “Get File”, “Get Location”, “Get Neighbouring Cell List”, “Get Recent Call Log”, “Get SMS”, “Get Skype Database”, “Get Viber Database”, “Get WhatsApp Database”, “Get WiFi List”, “Open URL In Browser”, “Record Call”, “Send SMS”, “Send USSD”, “Volume Change”
Notable actions with KrakenAgent include copying the username and passwords stored on the phone, stealing messages (Skype, Viber, SMS and WhatsApp), and using the phone as an eavesdropping device.
The incident is indicative of common trends in the tactics used by Iranian groups to target interests inside of the country and in the diaspora. While the intent of this disclosure is not to provide a full digital security lesson, there are simple changes to settings and behaviors that can reduce the effectiveness of these attacks.
USE AN ALTERNATIVE TWO FACTOR AUTHENTICATION (2FA) METHOD THAN TEXT MESSAGE
The codes provided by text message are valid for a longer amount of time compared to other the application method, which presents social engineering opportunities for attackers. Text message codes are also considered unsafe due to security issues with mobile networks, and so their use is increasingly discouraged where a better replacement is possible. Google and other platforms provide methods of generating codes that are similar to text messages, and may be easier to use, such as Google Authenticator or a Yubikey.
As an example, please see Google’s help page on Authenticator.
EXERCISE CAUTION WITH DOCUMENTS AND LINKS
Be cautious when people offer documents over social networks, and consider confirming that you are speaking with the right person over the phone. Researchers have witnessed in many cases where people realized they were being targeted when the person they were supposedly speaking to couldn’t talk claiming they lost their voice. Be suspicious when someone is asking for a code from you – this could be a login or password reset code sent from your service provider to gain access to your accounts.
In general, take an extra moment to consider the situation when someone claims to be sending a “secure” document or anything that requires sending them a “code.”
CHECK WHAT YOU ARE TYPING YOUR PASSWORD INTO
Impersonation sites often have Google or Facebook in the name, but still are not the service in question and are instead malicious (e.g. “privacy-google.com”). Anytime that a site asks for your username and password, be alert and pause. Why is it asking for your information? How did you get to this page? Are you still logged into your account elsewhere?
DO NOT INSTALL .APK FILES FROM UNTRUSTED SOURCES
Do not install Android applications and run executable files (.EXE or .SCR) from unknown sources, including from friends or untrusted websites. Be especially sensitive if the application that is being installed requests permission for private data and features like the microphone.
Do not allow applications from “Unknown Sources” to be installed.
INDICATORS OF COMPROMISE