On Wednesday, Kaspersky published its findings on a long-term Iranian spyware campaign. The actors behind the spyware used remote access trojans (RAT) to spy on Persian-speaking Iranians.
The campaign was carried out largely under the radar for six years.
It was only recently pointed out by researchers on Twitter when some of the files got uploaded to VirusTotal—a scan engine owned by Google. The malware was first analyzed by Chinese researchers, who determined the rough location of the hackers as well as how the malware runs within Windows systems.
After further analysis, Kaspersky outlined malware’s infiltration tactics and its connection to similar threats.
The malware was primarily spread through spoofed emails pretending to be from Iranian dissidents. The emails contained decoy messages pushing the recipient to enable viewing image content.
The document would then drop various executables to be run when the operating system is restarted, which would download the “MarkiRAT” malware.
The RAT does quite a few things to evade detection.
Primarily, it can attach to Google Chrome or Telegram and be launched together with the app. If you’re unfamiliar with it, Telegram is an application used for private messaging, and it’s a favorite tool for dissidents to protect their identities online.
The malware would then be able to take screenshots and log keystrokes to send to the hackers. It could effectively spy on the user despite privacy measures like encrypted messaging.
Kaspersky also discovered variants of the malware for Android or for attaching to Psiphon. Psiphon is a popular VPN service in Iran and also a major privacy tool.
The tactics clearly show that the RAT was meant to deanonymize and spy on users rather than something like credit card theft.
Kaspersky didn’t explicitly state that the RAT is the product of the Iranian government.
That said, other security researchers mostly agree that the tactic is consistent with the efforts of Tehran to spy on its citizens and snuff out dissent.
Kaspersky also drew parallels between MarkiRAT and similar malware used in Iran. The conclusion is that major hacking groups in the region are associated or at the very least share some developers.
They can also reuse their own technologies and the same infrastructure due to getting little attention from outside security research groups.
It remains to be seen if this revelation will affect the public relations of Iran.