Ferocious Kitten APT targets Telegram and Psiphon VPN users in Iran

Pierluigi Paganini June 17, 2021

Iran-linked Ferocious Kitten APT group used instant messaging apps and VPN software like Telegram and Psiphon to deliver Windows RAT and spy on targets’ devices.

Researchers from Kaspersky reported that Iran-linked threat actors, tracked as Ferocious Kitten, used instant messaging apps and VPN software like Telegram and Psiphon to deliver Windows RAT and spy on targets.

The cyber spies are stealing sensitive information from the victims since at least 2015, they targeted the two platforms because of their popularity in Iran. Experts pointed out that some of the TTPs used by this APT group overlap the ones associated with other groups that are active against a similar set of targets, such as Domestic Kitten and Rampant Kitten.

The decoy content displayed by the malicious files employed in the attacks often made use of political themes and involved images or videos of resistance bases or strikes against the Iranian regime, a circumstance that suggests the attack is aimed at potential supporters of such movements within the country.

“In addition to the Telegram payload variant analyzed above, one of the malicious samples discovered was a backdoored version of Psiphon, an open-source VPN tool often used to bypass internet censorship. The targeting of Psiphon and Telegram, both of which are quite popular services in Iran, underlines the fact that the payloads were developed with the purpose of targeting Iranian users in mind.” reads the analysis published by Kaspersky. “Moreover, the decoy content displayed by the malicious files often made use of political themes and involved images or videos of resistance bases or strikes against the Iranian regime, suggesting the attack is aimed at potential supporters of such movements within the country.”

Kaspersky spotted the activity of the group by investigating two weaponized documents that were uploaded to VirusTotal in July 2020 and March 2021.

Ferocious Kitten

The two documents include macros used to launch a multi-stage infection aimed at deploying the previously undocumented implant called MarkiRat.

The malware allows attackers to steal victims’ data, record keystrokes, provide file download and upload capabilities, capture clipboard content, and execute arbitrary commands on the infected system.

One of the MarkiRAT variants analyzed by the researchers involves a plain downloader that fetches an executable from a hardcoded domain. This sample diverges from others used by the group in the past because the payload was dropped by the malware itself, suggesting that the Ferocious Kitten APT group is likely changing some of its TTPs.

Experts also spotted a tainted version of the Psiphon tool, an open-source VPN software used to evade internet censorship.

Researchers also discovered that the command-and-control infrastructure was hosting Android applications in the form of DEX and APK files, likely to target mobile users.

“Ferocious Kitten is an example of an actor that operates in a wider ecosystem intended to track individuals in Iran,” concludes the report. “Such threat groups do not appear to be covered that often and can therefore get away with casually reusing infrastructure and toolsets without worrying about them being taken down or flagged by security solutions.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment