An extensive spyware campaign targeting Iranian, Kurdish and Turkish natives as well as ISIS supporters has been active since 2016.
Dubbed “Domestic Kitten” Check Point researchers discovered the targeted attacks which they say have remained under the radar due to the artful deception of its attackers towards their targets, according to a Sept. 7 blog post.
The malware is named in line with other Iranian APT attacks that use “kitten” following common APT nomenclature for Iranian groups and “domestic” because the group is believed to be affiliated with the Iranian government.
The spyware is spread via fake Android mobile applications and those behind the attacks use fake decoy content to entice their victims to download the malicious applications.
Once installed the malware lifts a range of sensitive information from its targets including contact lists stored on the victim’s mobile device, phone call records, SMS messages, browser history and bookmarks, geo-location of the victim, photos, surrounding voice recordings and more.
All of this information is then sent back to C&C servers using HTTP POST requests, researchers said.
Despite the campaign’s targets including Iranian citizens, researchers suspect the Iranian government entities such as the Islamic Revolutionary Guard Corps (IRGC), Ministry of Intelligence, Ministry of Interior and others are involved with the attacks as they often conduct surveillance on the groups targeted by the malware.