A series of security blunders made by suspected Iranian threat group ITG18 gave researchers an inside look into an Android malware variant utilized by the group.
ITG18 has TTPs that overlap with the threat groups known as Charming Kitten and Phosphorous, said researchers, and has previously targeted the private emails of politicians, journalists and, more recently, senior personnel in medical institutions and research facilities in the United States and Israel. The group has launched both credential phishing attacks and utilized malware to steal sensitive data from victims.
During an investigation into ITG18's campaigns, researchers with IBM X-Force said that they discovered the group utilizing a variant of an Android malware, which they called “LittleLooter.” Allison Wikoff, senior strategic cyber threat analyst, and Richard Emerson, senior threat hunt analyst at IBM X-Force, said that LittleLooter, which they have not observed being used by another threat actor, is a custom Android backdoor that has various information stealing capabilities.
“Our continued analysis led to the discovery of a malicious tool that has not been previously linked to this threat actor, a custom Android backdoor we named LittleLooter,” according to the researchers in a Wednesday session at Black Hat.
A Series of Mistakes
While investigating campaigns dating back to May 2020, researchers found various errors made by the threat actors that gave them an inside look into ITG18’s TTPs. Researchers discovered a misconfigured server that was associated with the threat actor, which revealed exfiltrated data and showed what information the attackers were interested in targeting. After combing through the open server, for instance, researchers found that the threat actor had exfiltrated roughly 120 gigabytes of data from 20 victims that were aligned with the Reformist movement in Iran.
The misconfigured server also gave researchers insight into tools that were stored on it, including the LittleLooter remote access tool (under the filename “WhatsApp.apk”). This Android malware is “functionally rich,” researchers said, with a variety of surveillance capabilities. These abilities include recording video, live screen, sound and voice calls; calling numbers; gathering GPS location data; showing network activity; taking pictures and listing calls and contact information.
Researchers said that the LittleLooter sample they analyzed had the version number 5 and an update capability. They predicted that the malware had likely been in use by the threat group for years.
“While X-Force did not observe how initial access to the accounts was gained, ITG18 could have leveraged LittleLooter’s capabilities or used phishing/social engineering to gather account credentials from their targets,” said researchers.
Through the open server, researchers also discovered two training videos utilized by the group, which were made by the group with free screen recording software, revealed how ITG18 exfiltrates data and how it configures the compromised personal email accounts of victims in order to maintain undetected access. For instance, researchers learned just how far the group would go to add a personal touch to their social engineering efforts, from emailing victims to gain further rapport with them, to even calling targets.
During their research, researchers discovered how much of a manual process many of the campaigns are. Researchers observed an operator spending hours working manually to validate credentials for just two victims, by copying and pasting stolen victim usernames and passwords into various websites.
Overall, said Wikoff, the videos “suggest the group is large enough to need training videos, but they might also have some turnover.”
The Future of ITG18
Researchers warn that the threat group continues to persist despite a number of public disclosures being made around their “insecure activity.” In 2019, for instance, Microsoft cracked down on its infrastructure with a takedown effort of 99 domains utilized in the group’s phishing campaigns. Microsoft has also previously disclosed details about an ITG18 campaign that targeted victims associated with the 2020 presidential campaign. However, despite these disclosures the group hasn't seemed to care, and has done very little to improve their infrastructure in retaliation, said researchers.
“They don’t seem concerned with public disclosure,” said Emerson.