Domestic Kitten hacking group strikes local citizens considered a threat to Iranian regime

FurBall spyware pretends to be everything from a security app to screen wallpapers.

The inner workings of the Domestic Kitten hacking group's surveillance operations have been disclosed by researchers. 

Domestic Kitten, also tracked as APT-C-50, is an advanced persistent threat (APT) group. First discovered in 2018, the APT has ties to the Iranian government and has been linked to attacks against domestic citizens "that could pose a threat to the stability of the Iranian regime," according to Check Point. 

Target individuals could include regime dissidents, civil rights activists, journalists, and lawyers. 

In a blog post on Monday, the Check Point research team said Domestic Kitten has been conducting widespread surveillance for the past four years, launching at least 10 separate campaigns and maintaining a target list of 1,200 individuals, at a minimum. 

At present, four active campaigns have been recorded, the most recent of which appears to have begun in November and is ongoing. Domestic Kitten victims are located across the world including in countries such as Iran, the US, Pakistan, and Turkey.

The APT uses mobile malware dubbed FurBall. The malware is based on commercially-available monitoring software called KidLogger, and according to the researchers, "it seems that the developers either obtained the KidLogger source code, or reverse-engineered a sample and stripped all extraneous parts, then added more capabilities."

FurBall is spread through a variety of attack vectors including phishing, Iranian websites, Telegram channels, and via SMS messages containing a link to the malware. The malware utilizes a variety of disguises to try and trick a victim into installation; such as being packaged as "VIPRE" mobile security, masquerading as a news outlet app, acting as repackaged legitimate mobile games found on Google Play, app stores, restaurant services, and wallpaper applications. 

Once installed on a target device, FurBall is able to intercept SMS messages, grab call logs, gather device information, record communication, steal media and stored files, monitor device GPS coordinates and so track their targets' movements, and more. 

When information has been gathered from the compromised device, it can be sent to command-and-control (C2) servers that have been used by Domestic Kitten since 2018. Linked IP addresses were found in Iran, in both Tehran and Karaj.

On Monday, Check Point researchers, together with SafeBreach, also disclosed the activities of a second threat group which is actively targeting Iranian dissidents -- but rather than focus on their smartphones, their PCs are at risk. Dubbed Infy, this APT -- known to have existed since 2007 and suspected of being state-sponsored -- has now renewed its efforts with a previously-undetected malware strain, a refreshed main Infy malware payload, and an overhaul of past C2 infrastructure. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0