Domestic Kitten has been conducting surveillance targeting over 1,000 individuals

Pierluigi Paganini February 08, 2021

Iran-linked APT group Domestic Kitten, also tracked as APT-C-50, has been conducting widespread surveillance targeting over 1,000 individuals.

Domestic Kitten, also tracked as APT-C-50, is an Iran-linked APT group that has been active at least since 2018. In 2018, researchers at security firm CheckPoint uncovered an extensive surveillance operation conducted by Domestic Kitten aimed at specific groups of domestic individuals that were considered a threat to the Iranian regime.

“In this in-depth research, we uncover significant parts of two advanced Iranian cyber-groups – Domestic Kitten and Infy.  Both groups have conducted long-running cyber-attacks and intrusive surveillance campaigns, which target both individuals’ mobile devices and personal computers.” reads the report published by Checkpoint. “The operators of these campaigns are clearly active, responsive and constantly seeking new attack vectors and techniques to ensure the longevity of their operations.”

According to a new report published by the Check Point research team, the group has been conducting widespread surveillance for the past four years.

At the time of this writing, researchers uncovered at least four active campaigns targeting individuals across the world, most of them in Iran, the US, Afghanistan, and Pakistan.

Domestic Kitten

The nation-state actors targeted over 1,200 individuals and infected more than 600 devices. 

The researchers documented a malware, tracked as ‘FurBall,’ that was employed since the beginning of the operation.

The malware support multiple surveillance capabilities, such as collecting device identifiers, grabbing SMS messages and call logs, surround recording with the device microphone, call recording, stealing media files (such as videos and photos), obtaining a list of installed applications, tracking the device location, stealing files from the external storage, and more.

FurBall borrows the code from the commercially-available monitoring software called KidLogger, the development team either obtained its source code, or reverse-engineered a sample.

The attack chain leverage multiple vectors Telegram channels, SMS messages containing a link to the malware, phishing messages, and watering hole attacks involving Iranian websites.

Threat actors used a large variety of covers to avoid detection, including:

  • VIPRE Mobile Security – A fake mobile security application.
  • ISIS Amaq – A news outlet for the Amaq news agency.
  • Exotic Flowers – A repackaged version of a game from Google Play.
  • MyKet – An Android application store.
  • Iranian Woman Ninja – A wallpaper application.

Once the malicious app gathered the information from the compromised devices, they sent it to C2. Experts noticed that attackers used the same C2 servers employed in Domestic Kitten’s campaigns since 2018. The IP addresses associated with the C2 servers were found in Iran, Tehran and Karaj.

Check Point researchers, along with experts at SafeBreach, also documented the activities of another APT group, tracked as Infy, which is also actively targeting Iranian dissidents.

The Infy malware was first submitted to VirusTotal on August 2007, meanwhile, the C&C domain used by the oldest sample spotted by the experts has been associated with a malicious campaign dated back December 2004.

The group used the Tonnerre and Foudre (Thunder & Lightning) tools to spy on Windows-based PCs.  

“The tools employ voice-recording, file stealing from the PC and external storage along with other capabilities. Our research uncovered these previously unknown tools as well as other advanced techniques used by this group which clearly show how their operators constantly try to evolve and evade any possible interference of their operations.” reads a second report published by CheckPoint.

During the first half of 2020, the APT group used new versions of Foudre along with new documents designed to lure victims. The malware runs a macro once the victim closes the document.

Tonnerre is used by the Iran-linked hackers to expand the functionality of Foudre.

“It seems that following a long downtime, the Iranian cyber attackers were able to regroup, fix previous issues and dramatically reinforce their OPSEC activities as well as the technical proficiency and abilities of their tools.” concludes the report.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Domestic Kitten)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment