Security Alert: IranGuard Spyware Campaign

A spear-phishing campaign is distributing surveillance malware named "IranGuard" targeting Iranian individuals and organizations. The malware is delivered via spear-phishing emails impersonating the "Etelaat Faraja" (فرماندهی اطلاعات فراجا - FARAJA Intelligence Command), an Iranian law enforcement intelligence agency. The campaign distributes both Android (APK) and Windows (EXE) variants of the spyware, providing comprehensive surveillance capabilities across both mobile and desktop platforms.

Malware Analysis

Android Variant (Iranguard.apk)

Detection Rate: 22/67 antivirus engines

Classification:

Kaspersky: HEUR:Trojan-Spy.AndroidOS.Agent.abd
ESET: Android/Spy.Agent.APU trojan
DrWeb: Android.Backdoor.739.origin
Avast/AVG: Android:Caspy-C [Spy]

Package Information:

Package Name: com.example.dat.a8andoserverx
Main Activity: com.example.dat.a8andoserverx.MainActivity
Min SDK: 14 (Android 4.0)
Target SDK: 22 (Android 5.1)

Certificate Information:

CN: Ahmed
Location: Gaza, Palestine
Valid From: June 11, 2018
Thumbprint: d8627113ff814745774947709c730c678832c43a

Dangerous Permissions Requested:

Permission	Risk
READ_SMS / WRITE_SMS	SMS interception and manipulation
SEND_SMS	Send SMS without user knowledge
ACCESS_FINE_LOCATION	GPS tracking
ACCESS_COARSE_LOCATION	Network-based location tracking
RECORD_AUDIO	Audio/call recording
CAMERA	Photo/video capture
READ_CONTACTS	Contact exfiltration
READ_CALL_LOG	Call history theft
PROCESS_OUTGOING_CALLS	Call interception
READ_PHONE_STATE	Device information collection
WRITE_EXTERNAL_STORAGE	File system access

Malicious Behaviors (MITRE ATT&CK):

Technique ID	Description
T1430	Location tracking (GPS)
T1429	Audio capture / microphone access
T1418	Application enumeration
T1409	Access stored account data (Gmail, WhatsApp)
T1571	Non-standard port communication
T1573	Encrypted channel (HTTPS)

Key Capabilities:

SMS interception and exfiltration (content://sms/inbox)
Contact theft (ContactsContract)
Incoming/outgoing call monitoring
Audio recording via MediaRecorder
GPS location tracking
Auto-start on boot (BOOT_COMPLETED)
Hides app icon from launcher (stealth mode)
Requests root access (su command)

Windows Variant (Iranguard.exe)

Detection Rate: Multiple engines detect as malicious trojan

Classification:

YARA Rule: AutoIT_Compiled - Compiled AutoIT script
Sigma Rule: High severity - "New RUN Key Pointing to Suspicious Folder"
Threat label: trojan.valyria

File Properties:

File Type: PE32 executable (GUI) Intel 80386
Compiler: AutoIt v3
Size: 1,367,955 bytes
PE Timestamp: 2012-01-29

Persistence Mechanism:

Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UQJWJJ
Value: "C:\Users\[USER]\AppData\Roaming\Windata\Iranguard.exe"

Malicious Behaviors (MITRE ATT&CK):

Technique ID	Description
T1056.001	Keylogging via polling
T1113	Screenshot capture
T1115	Clipboard data theft
T1105	Download and execute files
T1497.002	Sandbox evasion (mouse movement check)
T1547.001	Registry Run key persistence
T1564.003	Hidden window execution
T1134	Access token manipulation
T1012	Registry enumeration
T1082	System information discovery
T1057	Process enumeration
T1529	System shutdown capability

Key Capabilities:

Keylogger - Records all keystrokes
Screenshot capture - Takes desktop screenshots
Clipboard monitoring - Steals copied data
File download/execution - RAT functionality
FTP communication - Data exfiltration
Process enumeration - System reconnaissance
Anti-analysis - Checks for mouse movement to detect sandboxes
Persistence - Registry autorun modification

Phishing Email Analysis

The phishing email impersonates "Etelaat Faraja" (فرماندهی اطلاعات فراجا), which translates to "FARAJA Intelligence Command" - a reference to Iranian law enforcement intelligence. The email was sent to a massive distribution list including:

Email Content (Translated):

Subject: Important Directive from FARAJA Intelligence Command
The Islamic Republic of Iran Intelligence Organization Command has issued an emergency directive requiring the use of the IranGuard application for:
Work communications
Necessary coordination
Features of IranGuard:
Available for Android (smartphones) and Windows (computers)
Functions as a secure communication option during severe internet restrictions
Emergency Status: Download links provided
Windows: hxxp[:]//up44[.]ir/yhloi2vr
Android: hxxp[:]//up44[.]ir/saia4vhc

The email uses urgency and authority impersonation to trick victims into installing the spyware.

Attribution Indicators

While definitive attribution requires further investigation, several indicators suggest potential state-sponsored origin:

Target Selection: Iranian civil society, universities, government workers, human rights organizations
Impersonation: Uses legitimate Iranian government agency branding (FARAJA)
Language: Native Persian content with government-style formatting
Infrastructure: Uses portmap.io tunneling service to obscure C2 infrastructure
Certificate: Signed with name "Ahmed" from "Gaza, Palestine" - likely false flag

Indicators of Compromise (IOCs)

File Hashes

File	SHA256
Iranguard.apk	8ea1dde61f3357a5068a4ff4b3619eee9853c8acea0609bc39c6db243681382e
Iranguard.exe	3f303fad86ad441089a7b0406d08252d97a5ec5742d900191b09198301de3ca1

Network Indicators

Type	Value	Description
Domain	bermoda-38337[.]portmap[.]host	C2 Server (using portmap.io tunneling)
IP Address	193[.]161.193.99	Resolved C2 IP
Port	38337/TCP	C2 Communication Port
Distribution URL	hxxp[:]//up44[.]ir/yhloi2vr	Windows malware download
Distribution URL	hxxp[:]//up44[.]ir/saia4vhc	Android malware download

Email Indicators

Field	Value
Sender (spoofed)	etelaat.faraja@gmail[.]com
Subject (Persian)	بخشنامه مهم از طرف فرماندهی اطلاعات فراجا
Subject (English)	"Important Directive from FARAJA Intelligence Command"