Kaspersky has uncovered a long-standing cyberespionage campaign against Persian-speaking individuals in Iran. The group behind the malicious activity—dubbed Ferocious Kitten—has been active since at least 2015 and delivers a custom malware called “MarkiRAT” that steals data and can execute commands on the victim’s machine. The malware also has variants that can hijack the infected user’s Chrome browser and their Telegram app.
In March of this year, a suspicious lure document was uploaded to VirusTotal and brought to the public’s knowledge through a post on Twitter. Upon noticing the Tweet, Kaspersky researchers decided to investigate further. What they found was a 6-year long surveillance campaign against Persian-speaking individuals in Iran. They have since dubbed the actor behind the campaign “Ferocious Kitten”.
Ferocious Kitten, active since at least 2015, targets its victims with decoy documents containing malicious macros. These documents are disguised as images or videos that depict action against the Iranian regime (protests or footage from resistance camps). The initial messages within the decoy documents attempt to convince the target to enable the attached images or videos. If the victim agrees, then malicious executables are dropped to the targeted system, while the decoy content is displayed on the screen.
These executables drop the main malicious payload—a custom malware known as ‘MarkiRAT”. Once downloaded to the infected system, MarkiRAT initiates a keylogger to copy all clipboard content and record all keystrokes. MarkiRAT also provides file download and upload capabilities to the attackers and gives them the ability to execute arbitrary commands on the infected machine.
Kaspersky researchers were able to uncover several other MarkiRAT variants. One has the ability to intercept the execution of Telegram and launch the malware along with it. It does so by searching the infected device for Telegram’s internal data repository. If present, MarkiRAT copies itself to this repository and then modifies the shortcut that launches Telegram to execute this modified repository with the application itself.
Another variant modifies the device’s Chrome browser shortcut in a similar way to the variant targeting Telegram. The result is that, each time the user starts Chrome, the real application is run and the MarkiRAT payload is executed alongside it. Yet another variant is a backdoored version of Psiphon, an open source VPN tool often used to bypass internet censorship. Kaspersky has also found evidence that the actors have developed malicious implants targeting Android devices, although researchers were unable to obtain any specific samples for analysis.
The victims of this campaign appear to be Persian-speaking and located within Iran. The content of the decoy documents suggests the attackers are specifically going after supporters of protest movements within the country.
“While the MarkiRAT malware and accompanying toolset isn’t particularly sophisticated, it is interesting that the group created such specialised variants for Chrome and Telegram. It suggests the threat actors are focused more on adapting their existing toolset to their target environments rather than enriching it with features and capabilities. It’s also quite possible that the group is running several campaigns targeting different platforms,” comments Mark Lechtik, Senior Security Researcher with the Global Research and Analysis Team (GReAT).
“We also found a more recent plain variant using a downloader instead of an embedded payload. This suggests the group is still very much active and may be in the process of modifying their tactics, techniques, and procedures,” adds Paul Rascagneres, Senior Security Researcher with GReAT.
“Ferocious Kitten’s victimology and TTPs are similar to other actors in the region, namely Domestic Kitten and Rampant Kitten. Together, they form a wider ecosystem of surveillance campaigns in Iran. These types of threat groups don’t appear to be frequently covered, which makes it possible for them to fly under the radar for long periods of time and makes it easier for them to reuse their infrastructure and toolsets,” comments Aseel Kayal, Security Researcher with GReAT.