Ferocious Kitten, an APT group based in Iran, is actively targeting Iranians. Recently, a lure document was uploaded to VirusTotal which went public on Twitter. One of its implants has been investigated by a Chinese threat intelligence firm.
What has happened?
Researchers have released some findings on the group and provided insights into the other variants. Now, the group is using malicious documents to deliver MarkiRAT that records keystrokes and clipboard content.
- Two suspicious documents were uploaded to VirusTotal in July 2020 and March, that are apparently operated by the same attackers.
- One of the documents is Romantic Solidarity With Lovers of Freedom2[.]doc and included malicious macros along with an odd decoy message trying to persuade the victim to enable its content.
- Once their macro content is enabled, both documents drop malicious exes to the targeted system and show messages against the regime in Iran.
- In the past, the attackers spread .exe files directly to the victims. However, in the recent attacks, the attackers started using the weaponized documents as the primary infection vector.
Moreover, some of the TTPs recently used by Ferocious Kitten share a resemblance to other active threat groups attacking similar sets of targets, for example, Rampant Kitten and Domestic Kitten.
About MarkiRAT
MarkiRAT has been traced back to at least 2015. It has variants designed to attain persistence in Telegram and Chrome applications.
- The internal name of the implant is mklg, which is visible in the PDB paths used in the executable binaries. This name possibly stands for ‘Mark KeyLogGer’, where Mark could be used as an internal HTML tag.
- It has file download and upload capabilities and can execute arbitrary commands on the victim machine. In addition, it can receive commands via C2 and execute them.
Conclusion
Ferocious Kitten is a threat actor that operates with an aim to track individuals in Iran. Although its toolset is not too sophisticated, it is a well-skilled group. The group is, moreover, trying to enhance its arsenal with new tools to make its attacks more successful.
To read the original article: