Researchers Discover New Charming Kitten Mobile Malware
Security researchers working with IBM recently published an analysis of a new piece of Android malware that is spread and used by the threat actor known under the aliases Charming Kitten and APT35. The researchers stated that the malware is used by a threat actor they call ITG18, with suspected connections to Iran, but that this APT also has significant overlap with Charming Kitten.
The malware in question is called "LittleLooter" and acts as a backdoor for Android devices. LittleLooter is a tool used only by the ITG18 group, according to IBM's researchers. However, it is also one with some design issues in it.
The file containing the malware was found on a server belonging to and associated with the supposedly Iranian hacker group. The container was an Android app package posing as an installer for WhatsApp named "WhatsApp.apk", with the MD5 checksum "a04c2c3388da643ef67504ef8c6907fb".
LittleLooter is a varied stealer with a lot of capabilities that include recording video and sound from the infected device, uploading and exfiltrating files from the device, recording ongoing conversations, checking installed apps, manipulating the on/off status of various functionality on the device such as Bluetooth, Wi-Fi and mobile data and checking call logs.
The researchers previously also uncovered hours of videos intended to train hackers how to use a previous version of the malware. The most recent LittleLooter is stamped with v5, while the tutorials on how to use the malware were for v4.
For its command and control infrastructure, LittleLooter attempts to contact a server that claims to belong to an American flower shop, of all possible things, and has been online and running since mid-2020. Communication is both compressed and encrypted using AES.
As with all similar attacks and mobile malware, IBM's researchers recommended enabling multi-factor authentication on as many devices and applications on those devices as possible. Allison Wikoff, a security researcher with IBM Security X-Force, said researchers would continue hammering home the importance of MFA until they're "blue in the face", especially because not all vendors implement it or make it mandatory for their products.