Ferocious Kitten

Ferocious Kitten is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.[1]

ID: G0137
Contributors: Pooja Natarajan, NEC Corporation India; Manikantan Srinivasan, NEC Corporation India; Hiroki Nagahama, NEC Corporation
Version: 1.0
Created: 28 September 2021
Last Modified: 25 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

Ferocious Kitten has acquired domains imitating legitimate sites.[1]

Enterprise T1036 .002 Masquerading: Right-to-Left Override

Ferocious Kitten has used right-to-left override to reverse executables’ names to make them appear to have different file extensions, rather than their real ones.[1]

.005 Masquerading: Match Legitimate Name or Location

Ferocious Kitten has named malicious files update.exe and loaded them into the compromise host's "Public" folder.[1]

Enterprise T1588 .002 Obtain Capabilities: Tool

Ferocious Kitten has obtained open source tools for its operations, including JsonCPP and Psiphon.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Ferocious Kitten has conducted spearphishing campaigns containing malicious documents to lure victims to open the attachments.[1]

Enterprise T1204 .002 User Execution: Malicious File

Ferocious Kitten has attempted to convince victims to enable malicious content within a spearphishing email by including an odd decoy message.[1]

Software

ID Name References Techniques
S0190 BITSAdmin [1] BITS Jobs, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, Lateral Tool Transfer
S0652 MarkiRAT [1] Application Layer Protocol: Web Protocols, BITS Jobs, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Password Managers, Data from Local System, Data Staged: Local Data Staging, Exfiltration Over C2 Channel, File and Directory Discovery, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Native API, Process Discovery, Screen Capture, Software Discovery, Software Discovery: Security Software Discovery, System Information Discovery, System Location Discovery: System Language Discovery, System Owner/User Discovery

References