State-backed Iranian hackers spread malware through links to fake VPN apps
source link: https://www.techradar.com/news/state-backed-iranian-hackers-spread-malware-through-links-to-fake-vpn-apps
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
State-backed Iranian hackers spread malware through links to fake VPN apps
Cybersecurity firm confirms the mobile malware campaign
(Image credit: Shutterstock)
A highly resourceful Iranian state-backed hacker group uses malicious links to VPN apps sent via SMS texts to inject spyware, a cybersecurity firm reports.
Mandiant found evidence that APT42 (advanced persistent threat) has been conducting such attacks against what they described as "the enemies of the Iranian state" since 2015, with the goal of harvesting sensitive data and spying on victims.
They also claim with "moderate confidence" that the group is aligned with the Islamic Revolutionary Guard Corps Intelligence (IRGC-IO), who Washington designates as a terrorist organization.
This malware is not just spread hidden behind the reputation of some of the best VPN services, though. Well-crafted phishing emails, mischievous webpages to free messaging apps and adult-only sites have also been employed.
Mobile malware to pose worrying real-world risks
As Mandiant reports (opens in new tab): "The use of Android malware to target individuals of interest to the Iranian government provides APT42 with a productive method of obtaining sensitive information on targets, including movement, contacts, and personal information.
"The group's proven ability to record phone calls, activate the microphone and record the audio, exfiltrate images and take pictures on command, read SMS messages, and track the victim's GPS location in real-time poses a real-world risk to individual victims of this campaign."
Researchers observed over 30 confirmed operations across 14 countries worldwide so far, spanning its seven years of activity. However, they believe the total number to be much larger than that.
Western think tanks, researchers, journalists, current Western government officials, former Iranian government officials, dissidents and the Iranian diaspora abroad have all been amongst the victims of such attacks.
Data harvesting and surveillance operations
APT42's campaigns have two main goals: gathering targets' sensitive data like personal email credentials, multi-factor authentication codes and private communication records, while tracking victims' location data to carry on major surveillance operations.
The group's cunning playbook is gaining the trust of targets, engaging in conversation that can even last several weeks before finally sending the phishing email. In an instance, hackers pretended to be journalists working for a famous US media outlet for 37 days before launching the attack.
In the case of mobile malware, APT42 have been successfully targeting internet users that were looking for circumventing tools to bypass the strict government restrictions. And, being that over 80% of Iranians uses such software to escape online censorship, citizens' safety seems never been so at stake.
The Mandiant report further pointed out how the group - believed to be also linked to the infamous APT35 that last year managed to infiltrate Play Store with fake VPN apps - has been proficient at quickly shaping its strategies and targets to align with Iran's domestic and geopolitical interests.
"We assess with high confidence that APT42 will continue to perform cyber espionage and surveillance operations aligned with evolving Iranian operational intelligence collection requirements."
Chiara is a multimedia journalist, with a special eye for latest trends and issues in cybersecurity. She is a Staff Writer at Future with a focus on VPNs. She mainly writes news and features about data privacy, online censorship and digital rights for TechRadar, Tom's Guide and T3. With a passion for digital storytelling in all its forms, she also loves photography, video making and podcasting. Originally from Milan in Italy, she is now based in Bristol, UK, since 2018.
Recommend
-
1
The 14-Year-Old Who Founded Girls Who Hack Is Inspiring the Next Generation of Hackers“Women aren't really taken as seriously in the cybersecurity field, and I've noticed that with most of my girlfriends, they...
-
8
National SecurityU.S. indicts two Iranian hackers over 2020 election disinformation campaignVoters participate in early vot...
-
10
TechChina state-backed hackers compromised networks of at least 6 U.S. state governments, research findsPublished Wed, Mar 9 20225:44 AM ESTUpdated...
-
9
Microsoft disrupts Iranian-linked hackers targeting organizations in IsraelCarly PageSat, June 4, 2022, 1:11 AM·2 min read
-
9
Iranian Hackers Used Victims’ Printers to Issue Ransom Demands, DOJ SaysProsecutors have identified three Iranian nationals and accused them of being behind a series of ransomware attacks in the U.S., and around the...
-
7
Iranian hackers breach Federal Civilian Executive Branch using Log4Shell vulnerability
-
9
INFLUENCE CAMPAIGN — Microsoft alleges attacks on French magazine came from Iranian-backed group Leaked personal data of Charlie Hebdo customers puts them at risk from extr...
-
8
April 2, 2023 Hackers Use Password-Protected OneNote Files to Spread Malware ...
-
9
News Analysis Iranian cyberspies deploy new malware implant on Microsoft Exchange Servers...
-
5
LASER-FOCUSED — Russia-backed hackers unleash new USB-based malware on Ukraine’s military Shuckworm's relentless attacks seek intel for use in Russia's invasion of Ukraine....
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK