Check Point discovers spying on Iranian dissidents through Telegram

Check Point investigators have uncovered a surveillance campaign run by Iranian entities against regime dissidents that has been going on for six years. Since 2014, the cybercriminals behind this campaign have been launching attacks to spy on their victims, including the hijacking of Telegram accounts, the extraction of two-factor authentication codes through SMS messages, phone recordings, access to KeePass account information and the distribution of malicious phishing pages using fake Telegram service accounts.

The victims seem to have been selected at random among opposition organisations and resistance movements such as Mujahedin-e Khalq, the National Resistance Organisation of Azerbaijan, and citizens of Baluchistan.

The cybercriminals used malware documents to attack their victims and steal as much information as possible stored on the infected device. The malicious load targets two main applications: Telegram Desktop and KeePass, the famous password storage. The main features of the malware include:

• Information theft
• Upload the relevant Telegram files from the infected computer. These files allow you to take full control of the victim's account.
• Steal information from the KeePass application
• Upload any file that ends with predefined extensions
• Record data from the laptop and take screenshots on the desktop.
• Persistence
• Implement a persistence mechanism based on the internal procedure for updating the Telegram
   

During their investigation, Check Point's investigators discovered a malicious Android application linked to the same cybercriminals. The app was disguised as a service to help Iranians in Sweden obtain their driving licence. This Android backdoor contains the following features:

• Stealing existing SMS messages
• Forwards two-factor authentication messages to a phone number provided by the cybercriminal's controlled C&C server
• Retrieve personal information such as contacts and account details
• Start a telephone recording
• Phishing of Google accounts
• Retrieve device information such as installed applications and running processes

Some of the websites related to the malicious activity also hosted phishing pages posing as Telegram. Surprisingly, several Iranian channels in this application issued warnings against these pages, claiming that the Iranian regime was behind them. They also warned that these phishing messages, in which they threatened their recipient that they were misusing their services and that their account would be blocked if they did not enter the attached link (phishing), were sent by a Telegram bot.

Another channel of this messaging tool provided screenshots of the phishing attempt showing that the cybercriminals had created an account posing as the official one. Initially, the attackers sent a message about a new Telegram update to make it look legitimate. The phishing message was sent only five days later, and it pointed to a malicious domain.

"Our investigation has led us to realize several interesting things. First, there is a striking interest in being able to spy through instant messaging services. Although Telegram cannot be decoded, it is clearly susceptible to hijacking, so all users of these or similar applications should be aware of the risks involved in using it.

Secondly, phishing attacks on mobile phones, computers and websites can be connected within the same operation. In other words, they are managed in accordance with national intelligence and interests, as opposed to technological challenges. For this reason, at Check Point we will continue to monitor different geographical areas around the world to alert to new cyber-threat campaigns," points out Lotem Finkelsteen, Director of Threat Intelligence at Check Point.