HomesecurityThe Rampant Kitten team steals 2FA codes through an Android malware

The Rampant Kitten team steals 2FA codes through an Android malware

Checkpoint security company says it has discovered an Iranian hacking team that has developed a special Android malware capable of stealing 2-factor authentication (XNUMXFA) passwords sent via SMS. The malware was part of a hacking tool arsenal developed by a hacking team nicknamed Rampant Kitten.

Check Point reports that the group has been active for at least six years and mainly targets Iranian minorities, anti-regime organizations and resistance movements.

These campaigns involved the use of many different malware, including four variants of Windows infostealers and an "Android backdoor".

Rampant Kitten 2FA Android malware

Windows malware was mainly used to steal the victim's personal documents, as well as files from his Windows desktop client Telegram which would allow intruders to access the victim's Telegram account.

In addition, Windows malware also stole files from password manager KeePass.

Android app with 2FA theft capabilities

But while Rampant Kitten hackers favored Windows trojans, they also developed similar tools for Android.

In a report published today, Check Point researchers said they discovered a powerful Android backdoor developed by team. The backdoor could steal the victim's contact list and SMS messages, record what the victim says through the microphone and display pages Phishing.

However, the backdoor also contained tasks that run at regular intervals that focus on stealing 2FA codes.

Check Point said the malware will forward to any intruder any SMS message containing the "G-" string, commonly used to prefix 2FA codes for Google Accounts sent to users via SMS.

The thought is: Rampant Kitten operators would use the Android trojan to display a page Phishing Google to record the user's credentials and then access the victim's account.

If the victim had enabled 2FA, the malicious 2FA SMS interception feature would send hidden copies of the 2FA messages to the attackers, allowing them to bypass 2FA.

But that was not all. Check Point also found evidence that the malware would also automatically forward all incoming SMS messages from Telegram and other applications social network. These types of messages also contain 2FA codes, and it is very likely that the team used this feature to bypass 2FA, not just Google accounts.

Although it is widely accepted that government hacking groups are usually able to bypass the 2FA, we rarely have a picture of them tools and how they do it.

Rampant Kitten is now part of APT20, a state-funded Chinese hacking group that also appeared to bypass hardware-based 2FAs last year.

Teo Ehc
Be the limited edition.