17 June 2021

Researchers uncover a 6-year Iranian domestic cyber-espionage campaign


Researchers uncover a 6-year Iranian domestic cyber-espionage campaign

A cyber-espionage operation has been covertly targeting Persian-speaking individuals in Iran for at least six years, according to a new report from Kaspersky.

The threat actor behind this campaign tracked by Kaspersky as ‘Ferocious Kitten’ has been flying under radar since at least 2015, using a host of clever techniques to deploy its malware on victims’ devices. In particular, this newly discovered APT has been observed using a custom malware called “MarkiRAT” that steals data and can execute commands on the victim’s machine, with some the variants able to hijack the infected user’s Chrome browser and their Telegram app.

The cyber-espionage campaign came to light when Kaspersky spotted two suspicious Microsoft Word documents that were uploaded to VirusTotal in July 2020 and March 2021. The documents disguised as images or videos that depict action against the Iranian regime contained malicious macros. Upon enabling attached content, the MarkiRAT malware was dropped to the targeted system. This malware is capable of recording keystrokes and clipboard contents, hijacking file download and upload capabilities, and the execution of arbitrary commands on the victim machine, Kaspersky said.

The researchers found several MarkiRAT variants, one of which is able to intercept the execution of Telegram and launch the malware along with it.

“If present, MarkiRAT copies itself to this repository and then modifies the shortcut that launches Telegram to execute this modified repository with the application itself,” the researchers wrote.

A separate MarkiRAT variant alters the device’s Chrome browser shortcut so that the MarkiRAT payload is executed alongside the legitimate app. Yet another variant is a backdoored version of Psiphon, an open source VPN tool often used to bypass internet censorship.

Kaspersky said it discovered evidence that Ferocious Kitten has developed malicious implants targeting Android devices, but was unable to obtain any specific samples for analysis.

“While the MarkiRAT malware and accompanying toolset isn’t particularly sophisticated, it is interesting that the group created such specialized variants for Chrome and Telegram. It suggests the threat actors are focused more on adapting their existing toolset to their target environments rather than enriching it with features and capabilities. It’s also quite possible that the group is running several campaigns targeting different platforms,” the researchers said.

Back to the list

Latest Posts

Malicious actors target Kubernetes clusters via Argo Workflows

Malicious actors target Kubernetes clusters via Argo Workflows

In the observed attacks the threat actors deployed a popular cryptocurrency mining container, kannix/monero-miner.
26 July 2021
Kaseya obtains a decryptor for victims of the REvil ransomware attack

Kaseya obtains a decryptor for victims of the REvil ransomware attack

It's not clear, if the company paid any ransom.
23 July 2021
Chinese cyber-spies use hacked routers in attacks against French organizations

Chinese cyber-spies use hacked routers in attacks against French organizations

The hackers are hijacking home routers to build a proxy botnet in order to hide the origins of their attacks.
22 July 2021