Custom Android Backdoor “LittleLooter” Linked to the ‘ITG18’ Iranian Hackers Group

Written by Bill Toulas
Last updated November 1, 2021

The highly sophisticated Iranian hacking group tracked as ‘ITG18’ has made another opsec mistake that blew the cover of a custom Android backdoor they’re using, called “LittleLooter.” The discovery and analysis come from researchers at the IBM Security X-Force team, which has been following the particular actors closely for a long time now. According to the report, the backdoor is being exclusively used by ITG18, and it typically comes under the disguise of a ‘WhatsApp’ APK file (md5: a04c2c3388da643ef67504ef8c6907fb).

Source: IBM

The capabilities of the “LittleLooter” backdoor are the following:

This is a pretty extensive list, indicative of the power of the malware as well as the sophistication of its authors. The communication with the C2 server takes place via HTTP POST requests and responses, while the attacker-controlled server is masqueraded as an American flower shop. The data that fly from and to the compromised device is AES encrypted and BASE64 encoded, with the key being hardcoded into the malware itself. This has worked excellently in hiding the malicious traffic, as the actors haven’t changed their C2 server address since July 2020.

In addition to discovering the “LittleLooter,” X-Force has also found out that the group of Iranian hackers managed to amass massive amounts of stolen credentials and account data, leaving them openly accessible on online databases. In total, since 2018, ITG18 has collected 2TB of data, ranging from Google Takeout profiles to Telegram credentials and from Microsoft 365 to Yahoo email accounts. As IBM comments, this is most probably only a small portion of the data the adversary holds right now.

Source: IBM

Even though ITG18 is being exposed once more, its operations remain active and highly potent. In 2021 alone, they used over 60 servers to host more than 100 phishing domains, so the scale of their operation is still impressive. For organizations and their IT teams, the only way to deal with sophisticated actors is to review the indicators of compromise and use them to find signs of malicious activity on their networks and devices.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: