Malicious Spyware Has Attacked At Least 74 Victims Worldwide, Azeri and Gonabadi Dissidents Among Targets

Iranian state agents continue to use malware to hack into the online accounts of religious minority groups inside and outside Iran, investigations by the Center for Human Rights in Iran (CHRI) have shown, with the latest attacks, designed to steal the private information in individuals’ accounts, bringing to nearly a hundred the accounts that have been hacked by the state.

Since CHRI first began investigating the cyberattacks in early 2018, at least 74 people in Iran, Europe and the United States have fallen victim to the spyware.

First attacking the accounts of the administrators of Majzooban Noor in February 2018 (the official website of the persecuted Gonabadi Sufi Muslim community) and other minority groups, the latest round of cyberattacks have targeted Azeri dissidents, with at least 27 known attacks in the past week. These include a journalist working for the Azeri section of Voice of America and other Azeri dissidents around the globe, according to CHRI’s findings.

The malware has also been used during the past year against Iranian women’s rights advocates and student activists in Tehran, as well as against the personnel of Dorr TV, a pro-Gonabadi station based in France, members of the so-called South Azerbaijan Democratic Party in Sweden, and the Heydar Baba Azeri media group.

CHRI has also learned that official Gonabadi Sufi Muslim website majzooban.org came under intense state-sponsored DDoS (Distributed Denial of Service) attacks during May 5-7, 2019, which blocked access to it for many hours.

The Malware’s Capabilities

The malware has multiple capabilities that enable the state to identify private user information, communications and contacts, which severely endangers the attacked account holders. The Islamic Republic arrests and imprisons dissidents based on online communications. The spyware can:

Gather a list of existing files on the victim’s computer.

Take screenshots of the monitor at the attacker’s discretion.

Record keyboard impressions.

Enable remote access to the computer.

CHRI’s investigations show that the malware’s operators, based in Oroumiyeh, in West Azerbaijan Province, registered a domain that appeared to be associated with the popular Telegram messaging app, with the intention to plan phishing attacks on their targets. It is not known if the domain was used for such attacks.

CHRI believes the malware’s newest incarnation, in use since July 2018, has an evolved method to communicate with its developers while maintaining its fundamental technical core. It encrypts all the information gathered from the victim’s computer into AES-256 with psyAesCrypt 0.4.3.

CHRI’s investigations also show that the hackers moved their server from a city in the southern shores of the Persian Gulf to another location and did not renew their registration of the domain associated with the Telegram app. The domain—telegramdesktop.com—was registered by irPowerWeb, an Iranian company on October 18, 2017, and expired a year later.

The Indicators of Compromise (IoCs) of the malware:

Video-record-20180220-convertmp4.zip (MD5: b4184045a355bb2ca7405bd5bbb12626)

Video-record-20180220-convertmp4.scr (MD5: d41d8cd98f00b204e9800998ecf8427e)

Myvideo.mp4 (MD5: bb7c52a141e2ea1d3a7d276c8e57f3cc)

662fsnnsf.nfs (MD5: 8c2ba49841dd2cd9e3f08cdae2e2cda0)

Malware’s History

The malware’s origins go back to the political upheavals following the disputed 2009 presidential election when the earliest version of the state spyware was used in December of that year to target the computers and mobile phones of protesters, dissidents and opposition activists. (Malware is a computer program that runs spyware with the aim of collecting information or eavesdropping on the victim after the spyware is installed on a computer or mobile phone. These attacks are heavily used by the Iranian state to monitor, take control of, or block accounts.)

CHRI’s research revealed that the spyware was used heavily against the Gonabadi community in 2018, after a conflict between the state and the Gonabadi Sufis came to a head in February 2018 when three policemen, two Basij militia members and at least one Sufi died as a result of a bloody clash with security forces in Tehran over the arrest of a number of Sufis and the continuing house arrest of the order’s spiritual leader, Nour Ali Tabandeh.

Approximately a month later a suspicious email was sent to one of the Majzooban website admins asking for the publication of an attachment that was supposedly a four-hour video “shedding light on the truth” about the February clashes in the capital.

When the attached compressed ZIP file was opened, it installed a file in .SCR format on the victim’s computer, which subsequently copied an NFS file, a VBScript file and a video file onto the computer.

The type of malware that was deployed and the people who were targeted reveal that the cyberattacks originated from the country’s security establishment, which includes the Islamic Revolutionary Guard Corps (IRGC) and the Intelligence Ministry.

Hacking citizens’ digital data to access their personal information is banned in Iran by the Cyber Crimes Law but security and judicial agencies have repeatedly broken this law.

According to an investigation by CHRI, between October 19, 2017, and April 9, 2018, Iranian state hackers sent malware to at least 37 different targets located inside and outside the country, including a media group affiliated with the Gonabadi Dervishes, Sufi and ethnic minority rights activists, and Azeri dissident groups.