CopyKittens

CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip. [1] [2] [3]

ID: G0052
Version: 1.5
Created: 16 January 2018
Last Modified: 26 May 2021

Techniques Used

Domain ID Name Use
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

CopyKittens uses ZPP, a .NET console program, to compress files with ZIP.[2]

.003 Archive Collected Data: Archive via Custom Method

CopyKittens encrypts data with a substitute cipher prior to exfiltration.[3]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

CopyKittens has used PowerShell Empire.[2]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

CopyKittens has used -w hidden and -windowstyle hidden to conceal PowerShell windows. [2]

Enterprise T1588 .002 Obtain Capabilities: Tool

CopyKittens has used Metasploit and Empire for post-exploitation activities.[4]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

CopyKittens digitally signed an executable with a stolen certificate from legitimate company AI Squared.[2]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

CopyKittens uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode.[2]

Software

ID Name References Techniques
S0154 Cobalt Strike [2] Abuse Elevation Control Mechanism: Bypass User Account Control, Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Access Token Manipulation: Make and Impersonate Token, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Account Discovery: Domain Account, Application Layer Protocol, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Multiband Communication, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Windows Remote Management, Remote Services: Remote Desktop Protocol, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote Services: SSH, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0363 Empire [2] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation, Access Token Manipulation: SID-History Injection, Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Bookmark Discovery, Clipboard Data, Command and Scripting Interpreter, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Commonly Used Port, Create Account: Domain Account, Create Account: Local Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exfiltration Over Web Service: Exfiltration to Code Repository, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Dylib Hijacking, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Credential API Hooking, Input Capture: Keylogging, Native API, Network Service Discovery, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Private Keys, Unsecured Credentials: Credentials In Files, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0167 Matryoshka [2] Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter, Credentials from Password Stores, Input Capture: Keylogging, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Scheduled Task/Job: Scheduled Task, Screen Capture, System Binary Proxy Execution: Rundll32
S0164 TDTESS [2] Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Indicator Removal on Host: Timestomp, Indicator Removal on Host: File Deletion, Ingress Tool Transfer

References