Researchers Expose Iranian Phishing Servers Targeting Opposition

A group of researchers from Checkpoint Security firm claimed that they have breached phishing servers that were used by the Rocket Kitten.

Rocket Kitten is a group of hackers who are believed to be working in cahoots with the Iranian government.

Rocket Kitten came into the spotlight in April 2014 and were unmasked in May 2014 by FireEye researchers. But, significant information regarding how the group works was unearthed in a report from Trend Micro and ClearSky.

Researchers also claim that the group’s prime targets have been individuals and institutions who have opposed the Iranian government. The main weapon for attacking their target has been spear phishing campaigns aided by social engineering tactics.

What made their attacks untraceable to security tools were simple tweaks the group made to their operations’ code.

Although the group was thought to have vanished in September, researchers have found the group to be working with slight changes to the malicious code which they used to keep their identities hidden.

In an attempt to find what the group was doing, researchers scanned the phishing servers from the group and they found one of them unprotected. After analyzing the server, researchers were able to discover the previous targets of the group and how they were linked to the Iranian government.

Researchers were also able to identify all the basic elements for their attacks. Following is the list of the items they used for attacks:

the CWoolger keylogger (written in C++)
the .NETWlooger keylogger (written in C#)
the FireMalv Firefox password stealer
the Gholee malware
the MPK RAT (remote access trojan)
the Metasploit hacking framework
the Hajiv & SQLMap SQL injection tools
the Acunetix & Netsparker Web vulnerability scanner
the WSO Web Shell PHP-based backdoor
the NIM-Shell Perl-based backdoor

Furthermore, the most astonishing claim made by the researchers is that they were also able the find real identities of the group’s members who are Yaser Balaghi and Mehdi Mahdavi, software engineers from Teheran.

But, despite their server being exposed by the security team, the halting of the group’s operation doesn’t look to be coming as this is a state-sponsored group so will carry on.


Rocket Kitten is not the only project Iranian government working on. In the past, a 27-year-old graduate student Mohammad Yousefi, was sent to prison in Iran as part of a crackdown on social media users by using “Black Spider” trapping project.

Rockett kitten: A campaign with 9 lives (PDF) report is available for download.

Related Posts