Iranian hackers get tech support on forums

Iranian hackers are targeting Android systems using AndroRat and DroidJack

Iranian hackers are targeting Android systems using AndroRat and DroidJack remote-access Trojans, and are getting support from local-language forums.

According to research released this morning by Recorded Future, these particular RATs provide the ability to intercept SMS messages, contacts, call logs, browser history, and user credentials on visited websites. The malware can also intercept data from phone features like the microphone or camera.

These tools are most commonly used in very focused political attacks, said Recorded Future researcher Rodrigo Bijou.

"These are very targeted attack tools," he said. "They have been used before for refugee populations, dissidents, political targets in the Syrian conflict. It's much more personal than, say, hijacking 10,000 machines for a botnet to mine cryptocurrency or banking malware from Russia from run-of-the-mill cybercriminals."

What's surprising, he said, is the high level of tech support available on local language forums.

"People talk about how you access the tools, how you obfuscate communications," he said.

The forum participants also share versions of these tools with one another, and talk about the pros and cons of the various available versions.

"It's fairly extensive support," he said.

It's not clear whether the people participating in the forums are government employees, he said.

"The individuals themselves want to remain anonymous," he said. "But they're mentioning ties to prominent technical universities that feed into the military and other such organizations."

The Android platform makes sense as a target, he added, since, according to IDC data, Android accounts for 80 percent of mobile operating systems in the Middle East.

AndroRat and DroidJack, the two tools getting the most attention on these forums, are older tools and are discussed less frequently in other geographies.

Bijou suggested that these two tools continue to remain popular on Iranian forums because they are easy to use, easy to download, and have strong Farsi-language peer support.

They are free and open source, and have been available for download from GitHub since 2012.

[ ALSO ON CSO: Iran attacked with data-wiping malware, report says ]

"Someone put it out on GitHub with the source code and everything," said Recorded Future CEO Christopher Ahlberg.

There's a variety of malware on GitHub, including some very complicated, advanced attack tools. Some is ostensibly posted for research purposes, to show the proof of concept of a vulnerability so that the vendors can close them.

But the tools also have legitimate security uses, for penetration testers and IT administrators, said Bijou.

Bijou added that having an understanding of who the attackers are can help companies defend themselves.

"It adds nuance to understanding the threat landscape," he said. "If you know that certain actors are using certain tools, and you see trends in more attacks of those kinds, you can update your operational security."

This would particularly apply to companies and other organizations that are active in the region, he said.

In addition, security managers should warn corporate executives or politicians traveling to the Middle East to practice basic phone hygiene. That means not using jailbroken phones, keeping all software up to date and patched, and only downloading applications from official app stores.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber security

More about CSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts