Fox Kitten
Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. Fox Kitten has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.[1][2][3][4]
Associated Group Descriptions
| Name | Description |
|---|---|
| UNC757 | |
| Parisite | |
| Pioneer Kitten | |
| RUBIDIUM | |
| Lemon Sandstorm |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1546 | .008 | 事件触发执行: Accessibility Features |
Fox Kitten has used sticky keys to launch a command prompt.[5] |
| Enterprise | T1530 | 从云存储获取数据 |
Fox Kitten has obtained files from the victim's cloud storage instances.[5] |
|
| Enterprise | T1213 | .005 | 从信息存储库获取数据: Messaging Applications |
Fox Kitten has accessed victim security and IT environments and Microsoft Teams to mine valuable information.[5] |
| Enterprise | T1555 | .005 | 从密码存储中获取凭证: Password Managers |
Fox Kitten has used scripts to access credential information from the KeePass database.[5] |
| Enterprise | T1005 | 从本地系统获取数据 |
Fox Kitten has searched local system resources to access sensitive documents.[5] |
|
| Enterprise | T1039 | 从网络共享驱动器获取数据 |
Fox Kitten has searched network shares to access sensitive documents.[5] |
|
| Enterprise | T1090 | 代理 |
Fox Kitten has used the open source reverse proxy tools including FRPC and Go Proxy to establish connections from C2 to local servers.[5][4][7] |
|
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
Fox Kitten has named the task for a reverse proxy lpupdate to appear legitimate.[5] |
| .005 | 伪装: Match Legitimate Name or Location |
Fox Kitten has named binaries and configuration files svhost and dllhost respectively to appear legitimate.[5] |
||
| Enterprise | T1136 | .001 | 创建账户: Local Account |
Fox Kitten has created a local user account with administrator privileges.[4] |
| Enterprise | T1190 | 利用公开应用程序漏洞 |
Fox Kitten has exploited known vulnerabilities in Fortinet, PulseSecure, and Palo Alto VPN appliances.[1][3][2][5][4] |
|
| Enterprise | T1572 | 协议隧道 |
Fox Kitten has used protocol tunneling for communication and RDP activity on compromised hosts through the use of open source tools such as ngrok and custom tool SSHMinion.[2][5][4] |
|
| Enterprise | T1059 | 命令与脚本解释器 |
Fox Kitten has used a Perl reverse shell to communicate with C2.[4] |
|
| .001 | PowerShell |
Fox Kitten has used PowerShell scripts to access credential data.[5] |
||
| .003 | Windows Command Shell |
Fox Kitten has used cmd.exe likely as a password changing mechanism.[5] |
||
| Enterprise | T1585 | 建立账户 |
Fox Kitten has created KeyBase accounts to communicate with ransomware victims.[4][7] |
|
| .001 | Social Media Accounts |
Fox Kitten has used a Twitter account to communicate with ransomware victims.[4] |
||
| Enterprise | T1560 | .001 | 归档收集数据: Archive via Utility |
Fox Kitten has used 7-Zip to archive data.[5] |
| Enterprise | T1003 | .001 | 操作系统凭证转储: LSASS Memory |
Fox Kitten has used prodump to dump credentials from LSASS.[5] |
| .003 | 操作系统凭证转储: NTDS |
Fox Kitten has used Volume Shadow Copy to access credential information from NTDS.[5] |
||
| Enterprise | T1083 | 文件和目录发现 |
Fox Kitten has used WizTree to obtain network files and directory listings.[5] |
|
| Enterprise | T1110 | 暴力破解 |
Fox Kitten has brute forced RDP credentials.[4] |
|
| Enterprise | T1078 | 有效账户 |
Fox Kitten has used valid credentials with various services during lateral movement.[5] |
|
| Enterprise | T1505 | .003 | 服务器软件组件: Web Shell |
Fox Kitten has installed web shells on compromised hosts to maintain access.[5][4] |
| Enterprise | T1552 | .001 | 未加密凭证: Credentials In Files |
Fox Kitten has accessed files to gain valid credentials.[5] |
| Enterprise | T1012 | 查询注册表 |
Fox Kitten has accessed Registry hives ntuser.dat and UserClass.dat.[5] |
|
| Enterprise | T1217 | 浏览器信息发现 |
Fox Kitten has used Google Chrome bookmarks to identify internal resources and assets.[5] |
|
| Enterprise | T1027 | .010 | 混淆文件或信息: Command Obfuscation |
Fox Kitten has base64 encoded scripts to avoid detection.[5] |
| .013 | 混淆文件或信息: Encrypted/Encoded File |
Fox Kitten has base64 encoded payloads to avoid detection.[5] |
||
| Enterprise | T1102 | 网络服务 |
Fox Kitten has used Amazon Web Services to host C2.[4] |
|
| Enterprise | T1046 | 网络服务发现 |
Fox Kitten has used tools including NMAP to conduct broad scanning to identify open ports.[5][4] |
|
| Enterprise | T1087 | .001 | 账号发现: Local Account |
Fox Kitten has accessed ntuser.dat and UserClass.dat on compromised hosts.[5] |
| .002 | 账号发现: Domain Account |
Fox Kitten has used the Softerra LDAP browser to browse documentation on service accounts.[5] |
||
| Enterprise | T1105 | 输入工具传输 |
Fox Kitten has downloaded additional tools including PsExec directly to endpoints.[5] |
|
| Enterprise | T1021 | .001 | 远程服务: Remote Desktop Protocol |
Fox Kitten has used RDP to log in and move laterally in the target environment.[5][4] |
| .002 | 远程服务: SMB/Windows Admin Shares |
Fox Kitten has used valid accounts to access SMB shares.[5] |
||
| .004 | 远程服务: SSH |
Fox Kitten has used the PuTTY and Plink tools for lateral movement.[5] |
||
| .005 | 远程服务: VNC |
Fox Kitten has installed TightVNC server and client on compromised servers and endpoints for lateral movement.[5] |
||
| Enterprise | T1210 | 远程服务漏洞利用 |
Fox Kitten has exploited known vulnerabilities in remote services including RDP.[1][2][4] |
|
| Enterprise | T1018 | 远程系统发现 |
Fox Kitten has used Angry IP Scanner to detect remote systems.[5] |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
Fox Kitten has used Scheduled Tasks for persistence and to load and execute a reverse proxy binary.[5][4] |
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S0020 | China Chopper | [5] | 从本地系统获取数据, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 文件和目录发现, 暴力破解: Password Guessing, 服务器软件组件: Web Shell, 混淆文件或信息: Software Packing, 移除指标: Timestomp, 网络服务发现, 输入工具传输 |
| S0508 | ngrok | [2] | 代理, 动态解析: Domain Generation Algorithms, 协议隧道, 网络服务, 通过网络服务渗出 |
| S0556 | Pay2Key | [1][7] | 代理: Internal Proxy, 加密通道: Asymmetric Cryptography, 数据加密以实现影响, 服务停止, 移除指标: File Deletion, 系统信息发现, 系统网络配置发现, 非应用层协议 |
| S0029 | PsExec | [5][7] | 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares |
References
- ClearSky. (2020, February 16). Fox Kitten – Widespread Iranian Espionage-Offensive Campaign. Retrieved December 21, 2020.
- Orleans, A. (2020, August 31). Who Is PIONEER KITTEN?. Retrieved December 21, 2020.
- Dragos. (n.d.). PARISITE. Retrieved December 21, 2020.
- ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020.