But now, threat actors are finding ways to leverage Psiphon VPN and app like Telegram to install Windows Remote Access Trojan (RAT) which is capable of stealing sensitive data from victims' devices, according to cybersecurity firm Kaspersky, which has attributed the campaign to the advanced persistent threat (APT) group, Ferocious Kitten.
Ferocious Kitten is an Iranian cyber-espionage group that has operated under the radar since 2015, by deploying a host of obfuscation techniques to implant malware that remains undetected on target devices, such as Android phones and PCs.
How Hackers are targeting Psiphon VPN Users and stealing sensitive data from victims' devices?
Hackers targeting of Psiphon hinges on the popularity of the services in Iran, and underlines the fact that the payloads were developed to target Iranian users, with the decoy content deployed by the malicious files often politically themed and involving images or videos of resistance or strikes against the Iranian regime.
Kaspersky researchers findings correspond to two weaponized documents uploaded to VirusTotal in July 2020 and March 2021 which were embedded with macros, that when enabled, could drop next-stage payloads to deploy new implant called MarkiRat. The backdoor allow adversaries access to targeted personal data, such as recording of keystrokes, clipboard content capture, download and upload of files, coupled with the ability to execute arbitrary commands on the victim's machine.
The attackers equally experimented with some variants of MarkiRat found to intercept the execution of apps like Chrome and Telegram to launch the malware and keeping it persistently anchored to the PC, making it harder to be detected or removed; among the discovered exploits included a backdoored version of the open-source VPN tool, Psiphon.
The group's command-and-control infrastructure is believed to have hosted Android applications in forms of DEX and APK files, which raises the question if the threat actor is simultaneously developing malware targeted at Android users.
While Ferocious Kitten's domestic focus may have shielded the group from international scrutiny, Kaspersky’s discovery shows that cyber-surveillance of the Iranian public is now more extensive and intrusive than previously imagined.