Checkpoint security company says it has discovered an Iranian hacking team that has developed a special Android malware capable of stealing 2-factor authentication (XNUMXFA) passwords sent via SMS. The malware was part of a hacking tool arsenal developed by a hacking team nicknamed Rampant Kitten.
Check Point reports that the group has been active for at least six years and mainly targets Iranian minorities, anti-regime organizations and resistance movements.
These campaigns involved the use of many different malware, including four variants of Windows infostealers and an "Android backdoor".
Windows malware was mainly used to steal the victim's personal documents, as well as files from his Windows desktop client Telegram which would allow intruders to access the victim's Telegram account.
In addition, Windows malware also stole files from password manager KeePass.
Android app with 2FA theft capabilities
But while Rampant Kitten hackers favored Windows trojans, they also developed similar tools for Android.
In a report published today, Check Point researchers said they discovered a powerful Android backdoor developed by team. The backdoor could steal the victim's contact list and SMS messages, record what the victim says through the microphone and display pages Phishing.
However, the backdoor also contained tasks that run at regular intervals that focus on stealing 2FA codes.
Check Point said the malware will forward to any intruder any SMS message containing the "G-" string, commonly used to prefix 2FA codes for Google Accounts sent to users via SMS.
The thought is: Rampant Kitten operators would use the Android trojan to display a page Phishing Google to record the user's credentials and then access the victim's account.
If the victim had enabled 2FA, the malicious 2FA SMS interception feature would send hidden copies of the 2FA messages to the attackers, allowing them to bypass 2FA.
But that was not all. Check Point also found evidence that the malware would also automatically forward all incoming SMS messages from Telegram and other applications social network. These types of messages also contain 2FA codes, and it is very likely that the team used this feature to bypass 2FA, not just Google accounts.
Rampant Kitten is now part of APT20, a state-funded Chinese hacking group that also appeared to bypass hardware-based 2FAs last year.