Recent investigations by Russian cybersecurity firm Kaspersky have unveiled that a hacking group suspected of having links to Iran has been exploiting instant messaging and VPN applications like Telegram and Psiphon since at least 2015. These tools are being utilized to deploy a Windows remote access trojan (RAT), which can extract sensitive data from the compromised devices of its targets.
Kaspersky has linked this activity to an advanced persistent threat (APT) group known as Ferocious Kitten, which has specifically targeted Persian-speaking individuals, likely within Iran. The group’s ability to operate discreetly underlines its sophistication, as illustrated by its strategic use of popular local applications. The Kaspersky Global Research and Analysis Team noted, “The targeting of Psiphon and Telegram suggests that the malware was explicitly designed for Iranian users.”
The malicious software often features decoy content themed around political matters, including videos or images of resistance movements against the Iranian regime. This indicates that the attacks may aim to sway individuals sympathetic to these causes within the country.
Kaspersky’s findings are based on the analysis of two weaponized documents uploaded to VirusTotal in 2020 and 2021. These documents contain macros that, when activated, release a new implant referred to as MarkiRat. The backdoor functionality of MarkiRat enables the perpetrators to access a wide range of personal information, including capabilities for keystroke logging, clipboard monitoring, file management, and executing commands on the infected machine.
Efforts by the attackers to enhance their capabilities include various MarkiRat iterations that can intercept the operation of applications like Google Chrome and Telegram. This approach not only facilitates persistent infection but also complicates detection and removal. Notably, one variant was found to be a compromised version of Psiphon, an open-source VPN tool frequently employed to bypass internet censorship.
Moreover, a recent variant has emerged as a basic downloader, fetching an executable file from a predetermined domain. This development marks a shift from the previously established methodology of deploying malware directly, implying a possible evolution in the group’s tactics and techniques as categorized by the MITRE ATT&CK framework.
The command-and-control infrastructure associated with Ferocious Kitten has also been observed hosting Android applications as DEX and APK files, suggesting a parallel effort to develop mobile-targeted malware. The group’s tactics exhibit similarities with other known adversaries, such as Domestic Kitten and Rampant Kitten. Both have been noted for reusing command-and-control servers and seeking information from tools like KeePass password manager.
In conclusion, Kaspersky highlights that Ferocious Kitten operates in a broader ecosystem aimed at tracking individuals in Iran. Such groups often go unnoticed, allowing them to reuse tools and infrastructure with little fear of intervention. This underscores the importance for business owners and cybersecurity professionals to remain vigilant about evolving threats and the methodologies employed by adversaries in the landscape of cyber warfare.
