Black Hat USA, Las Vegas 2021:- ‘Charming Kitten’ Leaves ‘Mucky Paw Prints!’

IBM X-Force detailed the custom-made “Little Looter” data stealer and 4+ hours of ITG18 operator training videos revealed by an opsec mistake.

LAS VEGAS – The suspected Iranian threat group that IBM Security X-Force calls ITG18 & which overlaps with the group known as Charming Kitten keeps leaving a ‘mucky trail’ of paw prints.

Security X-Force

The latest: a custom Android backdoor dubbed “Little Looter” – used exclusively by the threat player, as far as researchers have been able to determine – that IBM Security X-Force detailed for the 1st time at Black Hat USA 2021.

On Wed., in a session titled “The Kitten that Charmed Me: The 9 Lives of a Nation State Attacker,” X-Force researchers Allison Wikoff & Richard Emerson stated that you just have to laugh about all the errors the group keeps making. “If that is not amusing, I do not know what is,” Wikoff exclaimed. “God, I love my job with things like this happening.”

‘Little Looter’

Recently, “things like this” included X-Force’s discovery of a file named “WhatsApp.apk” (md5: a04c2c3388da643ef67504ef8c6907fb) on infrastructure associated with ITG18 operations.

X-Force determined that “WhatsApp.apk” was Android malware that the researchers dubbed “Little Looter” based on its information-stealing capabilities.

For command-&-control (C2) communication, Little Looter attempts to establish communication to the C2 server via HTTP POST requests and responses. X-Force says that the C2 server masquerades as a US flower shop that’s been active since July 2020.

Functionally Rich

The communication between the malware and the C2 server is compressed via GZIP, AES encrypted & BASE64 encoded. The AES key & initialisation vector (IV) are hard coded into this sample: KEY: 3544c085656c997, IV: 4fcff6864c594343.

Little Looter is “functionally rich,” researchers explained, providing ITG18 operators the ability to pull off this long list of actions on an infected Android device:

• Record video
• Call a number
• Record live screen
• Upload/download/delete a file
• Record sound
• List storage information
• Record voice call
• Gather GPS- or GSM-based location
• List device information
• Show network activity
• Determinate whether screen is on or off
• Show network speed
• List installed apps
• Show network connectivity
• Send browser history
• Turn on/off Wi-Fi
• Turn on/off Bluetooth
• Turn mobile data on/off
• List contact information
• List SIM card information
• List SMS inbox/outbox/drafts
• Take a picture
• List calls including received & missed calls

Version No. 5

“The Little Looter sample X-Force analysed had the version number ‘5’, as well as an update capability if Little Looter detected it was running a previous version,” Wikoff detailed in a post on Wed. “The tool updates itself by downloading a zip file from a URL on the C2 server: ‘http[:]//[C2server]/updates/update_[class name].zip’ & replacing the old ‘classes.dex’ file with the newer version from the zip file.”

Little Looter is a modified version of Android malware reported by 3rd-party researchers several years ago & “has likely been in use by ITG18 for years prior to our association with this threat group,” she stated.

Regardless of Public Reporting

X-Force expects ITG18 operations to persist despite all the publicity the threat player has gotten due to its poor opsec & stolen data, she continued, which speaks to the group’s ability to just keep doing what it’s been doing for so long.

“X-Force researchers have high confidence that ITG18 activity will continue regardless of public reporting due to their broad objectives & continued success of their operations,” Wikoff wrote. Her post includes indicators to identify potential malicious activity on networks & mobile devices.

Hitting the Jackpot

Before the discovery of Little Looter, “things like this” began with X-Force’s discovery of the group’s training videos in May 2020. Routine information gathering on the group led to discovery of an open file directory. That directory included files uploaded over the course of a week before the threat player took them down.

It was like a gold mine: The open directory included not only exfiltrated victim data but over 4 hours of training videos for new ITG18 operators. Hearing about those training videos was probably “what you’re all here for,” Wikoff surmised.

As she & Emerson noted in a July blog post, it’s rare to get a behind-the-scenes look at how threat operators behave behind the keyboard, & “even rarer still are there recordings the operator self-produced showing their operations.”

OPSEC Failures

That’s exactly what X-Force uncovered: OPSEC failures on the part of an ITG18 operator that provided “a unique behind-the-scenes look into their methods, & potentially, their legwork for a broader operation that is likely underway.”

The fact that Charming Kitten is so efficient at training newcomers might mean a few things, Wikoff suggested during the session: It could be that the group has a large staff, and/or it could be that they have a good amount of worker turnover.

Not-so-Charming Kitten

What we do know: it’s a highly active adversary, with associated groups having targeted genetic, neurology & oncology professionals; medical researchers; Mid-East scholars; & ex-US President Trump’s 2020 re-election campaign.

They’re notoriously ever-evolving: In Oct. 2019, researchers reported that the player had added new spear-phishing techniques to its tool-kit in what appeared to be a step-up of operations. Security researchers who tracked the earlier phase of the campaign in Oct. 2018 saw attacks designed to evade 2-factor authentication (2FA) so as to compromise email accounts & to monitor communications.

Multiple Victims

Between Aug. 2020 & May 2021, X-Force has also observed ITG18 successfully compromising multiple victims linked with the Iranian reformist movement, “Probably to monitor group activity around the Iranian presidential election in June,” Wikoff speculated.

Due to a basic misconfiguration by suspected ITG18 associates, IBM discovered a server with more than 40Gb of data on the adversary’s operations.

Bandicam

iTG18’s training videos were made with a tool called Bandicam: a legitimate, free screen recorder for Windows.

The group also uses Zimbra, a popular, legitimate email & collaboration tool that’s at the centre of communications in over 200,000 businesses, over a 1,000 govt. & financial institutions. Daily, Zimbra is used by 100s of millions of workers to exchange emails containing sensitive information.

This makes sense, given the group’s objectives: espionage & surveillance, likely in support of Iranian govt. aims. They go after Iranian & what IBM X-Force described as “near-abroad” dissidents, journalists & academics, along with reformist political party members; COVID researchers; & nuclear & financial regulators.

Virtual Private Servers

The group frequently leases virtual private servers & registers its own domains. Wikoff stated that group operators might be given their own, virtual private server to run operations on, “soup to nuts,” complete with lists of potential targets.

The group’s TTPs include phishing via email, social media & SMS; credential harvesting; using compromised accounts; & masquerading as legitimate organisations & individuals. Over the years, they’ve persistently taken all that data out of Google & Yahoo accounts.

Adversaries Stumble

Google & Yahoo are unsurprising targets, but Charming Kitten doesn’t cate: The group eats up anything. “What we found interesting is that there’s no account too trivial to test credentials for,” Wikoff explained, citing food delivery accounts – e.g., Door Dash – as one of many examples. “You name it. If they had a credential for it, they logged in & looked around,” she outlined.

X-Force researchers also had “a nice chuckle” when they saw ITG18 operators stumbling over CAPTCHAs. “We all know how fun those are,” Wikoff exclaimed. “To humanize the operators, we all struggle. We saw him hung up on traffic lights: It took 45 seconds. It’s a nice reminder that threat actors are human, too.”

X-Force found a combination of victim-stolen data & tools to get it on the same server.

Validating Credentials

As far as validating credentials goes, it’s “extremely time-consuming,” Wikoff surmised. The group must have “a considerable amount of manpower” behind them to pull it off, she surmised. The recordings show it all as a manual cut-&-paste.

The training videos show that the operators stick stolen credentials into Notepad: an easy format for cutting & pasting. Then, they switch between copying a username, pasting it into Gmail or Yahoo, then switching back to Notepad to do the same with passcodes.

Practice Makes Perfect

While it sounds like a ‘hard slog’, the operators go through it with an alacrity that surprised Wikoff & Emerson. “It blows both our minds, how quickly the adversary can get into these accounts & set them up for exfiltrating & monitoring,” Wikoff stated. ‘Practice makes perfect, though’, she remarked: “It just speaks to how long these adversaries have been doing this.”

The training videos also showed the operators modifying Zimbra collaboration accounts, changing the settings to “less secure access.” Then, they flipped back to the compromised accounts’ inboxes &, when they intercepted the “did you make this setting change?” Alert, they said yes, that was me.

Zimbra

The operators next added the compromised email accounts to Zimbra, copying & pasting the email addresses in as account names. They also changed syncing from every 15 minute to 1 minute so they could intercept sensitive data closer to real time.

Tracking shows that the group has, over time, took at least 2Tb since Autumn 2018. The data has included personal information, location details, audio, video, photos, chat logs & SMS messages, & search histories. It’s also compromised social media on top of email accounts.

Use MFA or Else

There’s many issues when it comes to adversaries faulty opsec, but this is a serious matter, Wikoff & Emerson stressed. In spite of ITG18 ‘s continued errors, it’s conducting a big, & often successful, operation that’s going after personal webmail & social media accounts.

The 2 researchers also stressed the need to train employees. “In case of IPG18, personal resources are targeted, & employees’ personal computing habits can impact the security of the company,” Wikoff explained.

That means they’re going after all our info: where we go on vacation, our voice recordings, our conversations with other people. It’s all “ripe for social engineering opportunities,” she outlined – or for blackmail.

Compromised Accounts

Emerson noted that the group tends to 1st go after targets’ contact lists when 1st getting access to compromised accounts. “They’re always looking for the next Hotpoint, the next person to go after: often people who are related,” he noted.

All the more reason to keep pounding home the importance of multifactor authentication (MFA), Wikoff outlined. “we’ll say it till we’re blue in the face: … vendors have got to emphasise putting MFA on everything. We see this across the board. We can’t drive this point home enough … to put it lightly.

Cyber-Espionage & Surveillance

“ITG18 is a very serious, prolific group that runs cyber-espionage & surveillance. Off of email accounts, cell phones. They have hardly changed their tactics” over the years,” she stated.

The researchers observed that IBM contacted law enforcement about the number of compromised accounts that they uncovered. As yet, they haven’t detected any reaction from ITG18 in response to the light that IBM’s shed on the group’s opsec glitches: One reason why X-Force feels OK about putting publicity ‘glitter’ on it all, they concluded.

https://www.cybernewsgroup.co.uk/virtual-conference-september-2021/