Kaspersky Details Iranian Domestic Cyber-Surveillance Operation

Threat hunters at Kaspersky are sounding a warning for an Iranian APT actor that has been silently conducting domestic cyber-surveillance operations for the last six years.


The newly discovered APT, which Kaspersky calls Ferocious Kitten, has been active since at least 2015 and has used clever computer infection tricks to hijack Telegram and Chrome installations to deploy a malicious payload.


The Russian cybersecurity vendor said it also observed signs that Android implants have been used to target mobile users in Iran. 


Ferocious Kitten stayed under the radar for at least six years until Kaspersky researchers flagged a pair of maliciously rigged Microsoft Word .docs that were uploaded to Google’s VirusTotal malware scanning utility. 


One of the documents was booby-trapped with a malware called ‘MarkiRAT’ that Kaspersky says is capable of recording keystrokes and clipboard contents, hijacking file download and upload capabilities, and the execution of arbitrary commands on the victim machine. 


“We were able to trace the implant back to at least 2015, where it also had variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method,” Kaspersky said in a paper posted on its SecureList website.


The company said it observed code overlap with different cyber-surveillance operators targeting Persian-speaking individuals in Iran.  Specifically, Kaspersky said some of the TTPs used by Ferocious Kitten are reminiscent of an Iran-based actor called Domestic Kitten that targets Iranian citizens.


In a technical analysis, Kasperky said it found several variants of the MarkiRAT malware, including one that was used to intercept the execution and piggy-back on the launching the widely deployed Telegram chat application.


A separate var ..

Support the originator by clicking the read the rest link below.