Threat hunters at Kaspersky are sounding a warning for an Iranian APT actor that has been silently conducting domestic cyber-surveillance operations for the last six years.
The newly discovered APT, which Kaspersky calls Ferocious Kitten, has been active since at least 2015 and has used clever computer infection tricks to hijack Telegram and Chrome installations to deploy a malicious payload.
The Russian cybersecurity vendor said it also observed signs that Android implants have been used to target mobile users in Iran.
Ferocious Kitten stayed under the radar for at least six years until Kaspersky researchers flagged a pair of maliciously rigged Microsoft Word .docs that were uploaded to Google’s VirusTotal malware scanning utility.
One of the documents was booby-trapped with a malware called ‘MarkiRAT’ that Kaspersky says is capable of recording keystrokes and clipboard contents, hijacking file download and upload capabilities, and the execution of arbitrary commands on the victim machine.
“We were able to trace the implant back to at least 2015, where it also had variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method,” Kaspersky said in a paper posted on its SecureList website.
The company said it observed code overlap with different cyber-surveillance operators targeting Persian-speaking individuals in Iran. Specifically, Kaspersky said some of the TTPs used by Ferocious Kitten are reminiscent of an Iran-based actor called Domestic Kitten that targets Iranian citizens.
In a technical analysis, Kasperky said it found several variants of the MarkiRAT malware, including one that was used to intercept the execution and piggy-back on the launching the widely deployed Telegram chat application.
A separate variant was also seen targeting Google’s Chrome browser, using the BITS utility and code to modify the Chrome shortcut to launch the malware whenever the victim runs the Chrome browser.
Kaspersky also documented a pair of domains within the Ferocious Kittle command-and-control infrastructure that suggests the use of Android implants in the cyber-espionage attacks. The company said it was unable to find a sample of the Android implant.
“The attack appears to be mainly targeting Iranian victims. In addition to the mostly Persian file names, some of the malicious websites used subdomains impersonating popular services in Iran to appear legitimate,” Kaspersky said, noting that a subset of the attacks even targeted the Psiphon open-source VPN tool that is used by Iranians to bypass internet censorship.
“The targeting of Psiphon and Telegram, both of which are quite popular services in Iran, underlines the fact that the payloads were developed with the purpose of targeting Iranian users,” Kaspersky said, noting that that decoy contents displayed by the malicious files often used political themes and involved images or videos of resistance bases or strikes against the Iranian regime, “suggesting the attack is aimed at potential supporters of such movements within the country.”