Ferocious Kitten: 6 years of covert surveillance in Iran

[harlan4096]

Ferocious Kitten is an APT group that since at least 2015 has been targeting Persian-speaking individuals who appear to be based in Iran.

Although it has been active for a long time, the group has mostly operated under the radar and has not been covered by security researchers to the best of our knowledge. It is only recently that it drew attention when a lure document was uploaded to VirusTotal and went public thanks to researchers on Twitter. Since then, one of its implants has been analyzed by a Chinese threat intelligence firm.

We were able to expand on some of the findings about the group and provide insights into the additional variants that it uses. The malware dropped from the aforementioned document is dubbed ‘MarkiRAT’ and used to record keystrokes, clipboard content, provide file download and upload capabilities as well as the ability to execute arbitrary commands on the victim machine. We were able to trace the implant back to at least 2015, where it also had variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method.

Interestingly, some of the TTPs used by this threat actor are reminiscent of other groups that are active against a similar set of targets, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings and our own analysis on the mechanics of the MarkiRAT malware.

Background

Two suspicious documents that were uploaded to VirusTotal in July 2020 and March 2021, and which seem to be operated by the same attackers, caught our attention. One of the documents is called “همبستگی عاشقانه با عاشقان آزادی2.doc” (translates from Persian as “Romantic Solidarity With Lovers of Freedom2.doc”) and contains malicious macros that are accompanied by an odd decoy message attempting to convince the victim to enable its content.

After enabling their content, both documents drop malicious executables to the infected system and display messages against the regime in Iran, such as the following (translated from Persian):
 

I am Hussein Jafari

I was a prisoner of the regime during 1363-64.
Add my name to the prisoners' statement of Iraj Mesdaghi about the bloodthirsty mercenary.
Please use the nickname Jafar for my own safety and my family.

Hussein Jafari
July 1399

The macros in the documents convert an embedded executable from hexadecimal and write it to the “Public” folder as “update.exe”. Afterwards, the payload gets copied to the “Startup” directory under the name “svehost.exe” to ensure it automatically runs when the system is started.

In addition to the above documents, we managed to find malicious executables that were used by the attackers and date back to as early as 2015. It seems that in the past the attackers delivered executables directly to the victims and only recently introduced weaponized documents as the initial infection vector.

Moreover, the attackers used the “right-to-left override” technique that causes parts of the executables’ names to be reversed, making them appear to have a different extension such as .jpg or .mp4, rather than their real one. When run, the executables display decoy content to the victims, with some presenting images of protests against the Iranian regime and its institutions, or videos from resistance camps.
...

Continue Reading