What has happened?
Researchers have released some findings on the group and provided insights into the other variants. Now, the group is using malicious documents to deliver MarkiRAT that records keystrokes and clipboard content.
Two suspicious documents were uploaded to VirusTotal in July 2020 and March, that are apparently operated by the same attackers.
One of the documents is Romantic Solidarity With Lovers of Freedom2[.]doc and included malicious macros along with an odd decoy message trying to persuade the victim to enable its content.
Once their macro content is enabled, both documents drop malicious exes to the targeted system and show messages against the regime in Iran.
In the past, the attackers spread .exe files directly to the victims. However, in the recent attacks, the attackers started using the weaponized documents as the primary infection vector.
Moreover, some of the TTPs recently used by Ferocious Kitten share a resemblance to other active threat groups attacking similar sets of targets, for example, Rampant Kitten and Domestic Kitten.
About MarkiRAT
MarkiRAT has been traced back to at least 2015. It has variants designed to attain persistence in Telegram and Chrome applications.
The internal name of the implant is mklg, which is visible in the PDB paths used in the executable binaries. This name possibly stands for ‘Mark KeyL ..
Support the originator by clicking the read the rest link below.
