Walden Systems Geeks Corner News Android Malware Bypasses Two Factor Authentication Rutherford NJ New Jersey NYC New York City North Bergen County

Android Malware Bypasses Two Factor Authentication

Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.

Researchers found a surveillance campaign that targets victims' personal device data and browser credentials. One unique tool in the group's bag of tricks is an Android malware that collects two-factor authentication ( 2FA ) security codes sent to devices and launches Google account phishing attacks. The group that is responsible is being called Rampant Kitten. The group has targeted Iranian entities for at least six years. It specifically targets Iranian minorities and anti-regime organizations.

Rampant Kitten relies on an array of tools for carrying out their attacks, including four Windows info-stealer variants, phishing pages that impersonate Telegram to steal passwords, and an Android backdoor that extracts 2FA codes from SMS messages and records the phone's voice surroundings. According to Check Point Researchers, the group appears to be operating from Iran.

Researchers first discovered Rampant Kitten's campaign through a document, The Regime Fears the Spread of the Revolutionary Cannons.docx. Researchers don't know how this document is spread. When opened, the document loads a document template from a remote server, which impersonates a website for a non-profit that aids Iranian dissidents. It then downloads malicious macro code, which executes a batch script to download and execute more malicious code. This code checks if Telegram messenger service is installed on the system. If so, it extracts executables that steal information from the KeePass password-management application, uploads any file it can find, and logs clipboard data and takes desktop screenshots.

Researchers were able to track multiple variants of this payload dating back to 2014. These include the TelB and TelAndExt variants, which focus on Telegram. Researchers also found a Python program that is focused on stealing data from Telegram, Chrome, Firefox and Edge. The payload includes a HookInjEx variant, that targets browsers, device audio, keylogging and clipboard data.

This large scale attack has managed to remain under the radar for at least six years. According to the evidence, the group appears to be operating from Iran, takes advantage of multiple attack vectors to spy on their victims, attacking victims’ personal computers and mobile devices. Since most of the targets are Iranians, the group may be collecting intelligence on potential opponents to the regiment. Rampant Kitten now joins APT20, a Chinese state-sponsored hacking group that was also seen bypassing hardware-based 2FA solutions last year.