Custom Android Backdoor “LittleLooter” Linked to the ‘ITG18’ Iranian Hackers Group
- ITG18, an Iranian adversary, has had its custom Android backdoor named “LittleLooter” exposed.
- The actors have amassed terabytes of stolen data from various sources and are keeping them on open servers.
- The group is generally making several opsec mistakes, but this doesn’t affect its operations much.
The highly sophisticated Iranian hacking group tracked as ‘ITG18’ has made another opsec mistake that blew the cover of a custom Android backdoor they’re using, called “LittleLooter.” The discovery and analysis come from researchers at the IBM Security X-Force team, which has been following the particular actors closely for a long time now. According to the report, the backdoor is being exclusively used by ITG18, and it typically comes under the disguise of a ‘WhatsApp’ APK file (md5: a04c2c3388da643ef67504ef8c6907fb).
The capabilities of the “LittleLooter” backdoor are the following:
- Record video
- Call a number
- Record live screen
- Upload/download/delete a file
- Record sound
- List storage information
- Record voice call
- Gather GPS- or GSM-based location
- List device information
- Show network activity
- Determinate whether the screen is on or off
- Show network speed
- List installed apps
- Show network connectivity
- Send browser history
- Turn on/off Wi-Fi
- Turn on/off Bluetooth
- Turn mobile data on/off
- List contact information
- List SIM card information
- List SMS inbox/outbox/drafts
- Take a picture
- List calls including received and missed calls
This is a pretty extensive list, indicative of the power of the malware as well as the sophistication of its authors. The communication with the C2 server takes place via HTTP POST requests and responses, while the attacker-controlled server is masqueraded as an American flower shop. The data that fly from and to the compromised device is AES encrypted and BASE64 encoded, with the key being hardcoded into the malware itself. This has worked excellently in hiding the malicious traffic, as the actors haven’t changed their C2 server address since July 2020.
In addition to discovering the “LittleLooter,” X-Force has also found out that the group of Iranian hackers managed to amass massive amounts of stolen credentials and account data, leaving them openly accessible on online databases. In total, since 2018, ITG18 has collected 2TB of data, ranging from Google Takeout profiles to Telegram credentials and from Microsoft 365 to Yahoo email accounts. As IBM comments, this is most probably only a small portion of the data the adversary holds right now.
Even though ITG18 is being exposed once more, its operations remain active and highly potent. In 2021 alone, they used over 60 servers to host more than 100 phishing domains, so the scale of their operation is still impressive. For organizations and their IT teams, the only way to deal with sophisticated actors is to review the indicators of compromise and use them to find signs of malicious activity on their networks and devices.