Custom Android Backdoor “LittleLooter” Linked to the ‘ITG18’ Iranian Hackers Group

  • ITG18, an Iranian adversary, has had its custom Android backdoor named “LittleLooter” exposed.
  • The actors have amassed terabytes of stolen data from various sources and are keeping them on open servers.
  • The group is generally making several opsec mistakes, but this doesn’t affect its operations much.

The highly sophisticated Iranian hacking group tracked as ‘ITG18’ has made another opsec mistake that blew the cover of a custom Android backdoor they’re using, called “LittleLooter.” The discovery and analysis come from researchers at the IBM Security X-Force team, which has been following the particular actors closely for a long time now. According to the report, the backdoor is being exclusively used by ITG18, and it typically comes under the disguise of a ‘WhatsApp’ APK file (md5: a04c2c3388da643ef67504ef8c6907fb).

Source: IBM

The capabilities of the “LittleLooter” backdoor are the following:

  • Record video
  • Call a number
  • Record live screen
  • Upload/download/delete a file
  • Record sound
  • List storage information
  • Record voice call
  • Gather GPS- or GSM-based location
  • List device information
  • Show network activity
  • Determinate whether the screen is on or off
  • Show network speed
  • List installed apps
  • Show network connectivity
  • Send browser history
  • Turn on/off Wi-Fi
  • Turn on/off Bluetooth
  • Turn mobile data on/off
  • List contact information
  • List SIM card information
  • List SMS inbox/outbox/drafts
  • Take a picture
  • List calls including received and missed calls

This is a pretty extensive list, indicative of the power of the malware as well as the sophistication of its authors. The communication with the C2 server takes place via HTTP POST requests and responses, while the attacker-controlled server is masqueraded as an American flower shop. The data that fly from and to the compromised device is AES encrypted and BASE64 encoded, with the key being hardcoded into the malware itself. This has worked excellently in hiding the malicious traffic, as the actors haven’t changed their C2 server address since July 2020.

In addition to discovering the “LittleLooter,” X-Force has also found out that the group of Iranian hackers managed to amass massive amounts of stolen credentials and account data, leaving them openly accessible on online databases. In total, since 2018, ITG18 has collected 2TB of data, ranging from Google Takeout profiles to Telegram credentials and from Microsoft 365 to Yahoo email accounts. As IBM comments, this is most probably only a small portion of the data the adversary holds right now.

Source: IBM

Even though ITG18 is being exposed once more, its operations remain active and highly potent. In 2021 alone, they used over 60 servers to host more than 100 phishing domains, so the scale of their operation is still impressive. For organizations and their IT teams, the only way to deal with sophisticated actors is to review the indicators of compromise and use them to find signs of malicious activity on their networks and devices.



Why Is Demon Slayer So Popular?

In August 2019, the world suddenly started talking about an anime series that had just released its nineteenth episode. Fast forward to...

F1 Live Stream 2022: How to Watch Formula 1 Without Cable

There's not much time until the 2022 Formula 1 World Championship gets underway - the first race is scheduled for late March,...

Disney+ Announces Basketball Series Inspired By Award-Winning Book The Crossover

Disney Plus announced a new basketball-themed drama series that is set to land on the streaming platform, drawing inspiration from the critically...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari