Woburn, MA – June 16, 2021 – Today Kaspersky announced its discovery of a long-running cyberespionage campaign against Persian-speaking individuals in Iran. The group behind the malicious activity, dubbed Ferocious Kitten, has been active since at least 2015, using a custom malware called “MarkiRAT” that steals data and can execute commands on a victim’s machine. The malware also has variants that can hijack the infected user’s Chrome browser and their Telegram app.
In March of this year, a suspicious lure document was uploaded to VirusTotal and brought to the public’s knowledge through a post on Twitter. Upon noticing the Tweet, Kaspersky researchers decided to investigate further. What they found was a six-year long surveillance campaign against Persian-speaking individuals in Iran. They have since dubbed the actor behind the campaign “Ferocious Kitten.”
Ferocious Kitten, active since at least 2015, targets its victims with decoy documents containing malicious macros. These documents are disguised as images or videos that depict action against the Iranian regime (protests or footage from resistance camps). The initial messages within the decoy documents attempt to convince the target to enable the attached images or videos. If the victim agrees, then malicious executables are dropped to the targeted system, while the decoy content is displayed on the screen.
A decoy message translated from Persian
These executables drop the main malicious payload—a custom malware known as “MarkiRAT.” Once downloaded to the infected system, MarkiRAT initiates a keylogger to copy all clipboard content and record all keystrokes. MarkiRAT also provides file download and upload capabilities to the attackers and gives them the ability to execute arbitrary commands on the infected machine.
Kaspersky researchers were able to uncover several other MarkiRAT variants. One has the ability to intercept the execution of Telegram and launch the malware along with it. It does so by searching the infected device for Telegram’s internal data repository. If present, MarkiRAT copies itself to this repository and then modifies the shortcut that launches Telegram to execute this modified repository with the application itself.
Another variant modifies the device’s Chrome browser shortcut in a similar way to the variant that targets Telegram. The result is that, each time the user starts Chrome, the real application is run and the MarkiRAT payload is executed alongside it.
Yet another variant is a backdoored version of Psiphon, an open source VPN tool often used to bypass internet censorship.
Kaspersky has also found evidence that the actors have developed malicious implants targeting Android devices, although researchers were unable to obtain any specific samples for analysis.
The victims of this campaign appear to be Persian-speaking and located within Iran. The content of the decoy documents suggests the attackers are specifically going after supporters of protest movements within the country.
“While the MarkiRAT malware and accompanying toolset isn’t particularly sophisticated, it is interesting that the group created such specialized variants for Chrome and Telegram,” said Mark Lechtik, senior security researcher with the Global Research and Analysis Team (GReAT). “It suggests the threat actors are focused more on adapting their existing toolset to their target environments rather than enriching it with features and capabilities. It’s also quite possible that the group is running several campaigns targeting different platforms.”
“We also found a more recent plain variant using a downloader instead of an embedded payload,” said Paul Rascagneres, senior security researcher with GReAT. “This suggests the group is still very much active and may be in the process of modifying their tactics, techniques, and procedures.”
“Ferocious Kitten’s victimology and TTPs are similar to other actors in the region, namely Domestic Kitten and Rampant Kitten,” said Aseel Kayal, security researcher with GReAT. “Together, they form a wider ecosystem of surveillance campaigns in Iran. These types of threat groups don’t appear to be frequently covered, which makes it possible for them to fly under the radar for long periods of time and makes it easier for them to reuse their infrastructure and toolsets.”
Learn more about Ferocious Kitten on Securelist.
To protect your organization’s employees from APTs like Ferocious Kitten, Kaspersky experts recommend the following:
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.
Sawyer Van Horn