Zooming In On “Domestic Kitten”

 

In recent years, Iran has been channeling significant resources into cyber warfare, devoting designated entities within multiple government agencies to conduct extensive espionage campaigns against foreign countries such as the United States, Israel and Persian Gulf Arab countries. The majority of these campaigns aim at colleting sensitive information, usually concerning national security, from government officials, military officers, academic experts etc. Other operations target operational networks and aim at causing physical damage, such as power outage, machine faults and more. While these operations are to be investigated and analyzed carefully, we must not forget that Iran’s fundamental regime has one prime target – its own citizens.

Last month, Check Point researchers revealed a sophisticated and extensive targeted attack, dubbed “Domestic Kitten”, which primarily targets Iranian victims and most likely originates from an Iranian government-sponsored threat group. The attackers use mobile applications with decoy content to entice their victims into installing the spyware, which collects a large amount of sensitive information from the victim’s device and intercepts everything in the device’s communication. Collected information includes phone call records, SMS messages, browser history, geo-location of the victim, photos and, uniquely, even surrounding voice recordings. Despite the heavy targeting of Iranians, there were also Kurdish and Urdu natives, ISIS supporters and even Yemeni citizens among the victims.

After investigating each layer of this tangled operation, which has succeeded to remain under the radar since 2016, we are now sharing the full “Domestic Kitten” story, including its attack infrastructure, the strict documentation of the stolen data, and the characteristics of variants from each generation. The following analysis dives deep into the tactics and techniques used by the attackers, including the decoy applications, the data and target management and the targets affiliation.

The Applications

Gathering all data from this operation gave us an estimation of the number of malicious applications that were used. Overall, 82 applications were seen in the different Domestic Kitten campaigns, all of which were designed to act as a bait using tailored decoy content which lures its targets based on chosen fields of interest, such as ISIS and Kurdish folklore. Examining the displayed names and contents of such applications can reveal the political groups and minorities which they may be targeting:

 

The majority of the displayed names (36%) were in Persian. These include applications named ‘Temporary Marriage’ – an Iranian practice which allows a couple to form matrimonial contract for as little as several minutes; ‘Nowruz’ – The Persian New Year’s day; ‘Baloch and Balochistan’ – Baloch is a minority which lives mainly in the Balochistan region, which covers Iran, Pakistan and several other countries. These were followed by 29% for Arabic speaking targets, and 22% with generic titles that may target a broader audience or entities which no distinct affiliation (such as Google Service Updater, Super VPN, Sexy Bikini Girl, and so on).

In addition to the name displayed to the victim, each application has an embedded default codename that is used by the threat actor in the logs they collect. The codename can be something generic such as “User180607” or “BOOK1010”, it can resemble the app’s displayed name, but often it can tell us more about the target characterization of the campaign:

Application Name	Code Name	Translation/Description	Target Audience	Version
اسلحه شناسی	Weapon	Firearms Maker	Arabic Speakers	6.0.0
Asma’ al-husna	Daesh4	Names of God	Arabic Speakers	5.0.0
Pepule	Majpolpepule960927	Kurdish TV Channel	Kurdish Speakers	5.2.0
MoboChat	Shahram-mobo-hidn		Generic	5.4.0
ازدواج موقت محصنين	Ezdevaj	Temporary Marriage	Persian Speakers	5.6.0

 

A full list of the applications, code names, title translation/description, target audience and version number is available in the Appendix.

Out of the 82, approximately 20 applications are Muslim-themed, with names such as “Verses from the Quraan” or “The Prophet’s 55 Commandments”. Surprisingly, many of these received the codename “Daesh” – which is the Arabic/Persian name for ISIS – followed by a numeral (1-9). We can therefore infer that such applications belong to a campaign that targets ISIS supporters or activists by using religious themes.

Looking up the titles we came across in the logs returned many results that led us to legitimate applications with the same names as the malicious ones, which were available for download via Google’s Play Store, Telegram channels or websites hosting APKs. Downloading applications from unofficial sources or sharing websites is a common practice in Iran and in the Middle East in general, due to the many sanctions in the region. This can imply that the attackers created a compromised version of these harmless applications by embedding their malicious code in them.

 

Technical Description

Overview

Check Point researchers obtained and analyzed three versions of the malware spread via the tailored malicious applications. Version ‘com.memopt’ was used in 2016, and uses Persian in its code, in accordance with our estimation of the attackers’ origins. It features multiple data exfiltration features and is capable of executing remote shell commands. The second version, ‘com.andriod’, has more functionalities that the previous one, although similarly to the previous generation, it is not heavily obfuscated and contains some contradicting values within its sections. The most advanced generation, and most recent one, is ‘com.eracomteck/example.badoo’. This version shows greater obfuscation as well as evasion techniques and more complex server communications. Unlike the previous generation each log contains one data type, all data collected by this version is stored in one comma separated file, and each type has a unique identifying character.

 

By monitoring all C&C severs used in the campaign, we were able to obtain a fully accurate picture of the number of victims, the applications used by the campaign and the collected data, which includes structured logs, containing private data, and actual files and recording collected from the infected devices. Our unique visibility enabled us to come with the accurate amounts of personal data exfiltrated by the aforementioned logs:

In addition to the numbers represented in the chart, 370 accounts and e-mail addresses from different social media platforms such as Twitter and Facebook, as well as 50 full system dumps enumerating each file on the device, were also delivered to the threat actor.

Malware Generations

com.memopt

The “com.memopt” generation dates back to 2016 and was discovered because one of its C&C servers shared the same WHOIS information with a new variant:

 

 

Exception messages in the application are documented in Persian, supporting our suspicion that an Iranian entity is behind this attack:

In addition to data theft, this variant is capable of executing remote shell commands:

Commands received from the C&C are saved in an SQL database file called “MemOptDB.sql” which can be found in the “assets” section of the application.

Each one of the commands has a unique ID and can be set to run in a specific time. The threat actor can also choose whether or not to compress the log before sending it back, by setting the “ZipBeforeSend” value to True or False:

This variant can:

• Steal the device’s location
• Steal phone call recordings
• Steal SMS messages
• Steal browser history
• List files in a given directory
• Upload requested files to server and delete them
• Upload requested files to server without deleting them
• Recursively delete a directory
• Take a photo from the device’s camera
• Send data SMS with the device ID to 30006490000014
• Enable call recording
• Choose phone number to be deleted from call logs
• Remove a call log from a specific phone number

This generation also has an additional SMS command channel, which duplicates some of the previous commands and can monitor the following:

• GPS
• Calls
• Messages
• Wifi – turn on wifi connection
• GPRS – Mobile internet connection

 

com.andriod.browser:

This generation is more advanced than “com.memopt” and has more functionalities, although the code itself is still not heavily obfuscated, and exceptions are documented.

The “Defines” class contains default embedded values which are defined by the threat actor, such as a C&C (SERVER_ADDRESS) and a codename (USER_NAME). It also contains the application’s version number, media extensions and a list of commands:

 

However, the SERVER_ADDRESS and USER_NAME values are not used elsewhere in the code and different values are defined in the “Settings” class. This can simply mean that they were left over in this class from a previous generation.

In the above screenshot from one of the applications, the SERVER_ADDRESS is set to “ageofcyber[.]com/brw”, although the C&C is later set to be “ychatonline[.]net”.

The first domain supposedly belongs to a company called “Jehvet Sanat” or “Jelveh Engineering Company”, which was looking to hire Java and C++ programmers in the past through Iranian job-hunting websites:

Although the “/brw” subdomain was used by other C&Cs, accessing “ageofcyber[.]com/brw” nowadays returns a 404 (Not Found) code.

In addition to defining the real codename and server, the “Settings” application also has the APK’s serial number:

The serial number has a time stamp at the end which most likely shows the APK’s compilation time. This also correlates with the version number, since the serial number’s time stamp in applications with low versions (5.0.0 or 5.2.0) was from 2017.

“AMService” sets the deviceUUID, which is later used in the logs’ names and as their encryption key:

The documentation of exceptions in this class is interesting as there are messages explaining the reason behind each exception, with many grammatical mistakes and typos: thrad instead of thread, or erro instead of error. This leads to the assumption that the author is not a native English speaker.

The “CommandManager” class receives commands from the C&C by sending the deviceUUID as a parameter to the “get-function.php” script:

The “CommandManager” will then call components from other classes to get the information which the threat actor requested (A thorough explanation of the possible commands is available in the Functions section under Command and Control):

 

com.eracomteck/example.badoo:

These packages seem to belong to the most recent/advanced generation of this campaign, some of which still have very low detections on VirusTotal up until this day:

 

 

 

 

 

 

 

 

The code itself also became more obfuscated and protective layers were added to prevent any detection of strings. All strings, including the server, are encoded using a simple algorithm, which adds a constant to each character of the string and encodes the result using Base64.

Furthermore, when communicating with the server each character is also XORed with another character from a large byte array.

The BootReceiver class in “example.badoo” starts a heartbeat service. It schedules a timer, which then sends data about the device’s mobile operator every 10 seconds to the server:

The “TransportReceiver” listens for all the events which can wake up the application, and registers dynamic receivers for both outgoing calls and user presence:

The application also schedules a set of timers, and whenever they are triggered they send commands to “Dumpers”, which are components responsible for gathering:

• Location
• Clipboard
• Voice recording
• Taking photos
• Video recording

The most interesting one is perhaps the dataDumper, which steals most of the victim’s personal data:

 

• User’s accounts
• Browser data
• Call log
• SMS messages
• Contacts
• Applications (installed and running)
• Mobile operator’s data
• List of media content present on device (audio, photo, video)
• Sensor’s data
• Battery stats
• Storage stats

Unlike the previous generation where logs can only contain one data type, all of this data is stored in one comma separated file, and each type has a unique identifying character:

The only addition to the stolen data in this generation is the battery data, which was not available in previous generations.

This variant can also receive commands from the threat actor by opening a connection to the server’s port 2030, which can include:

• Sending results of surround voice recording
• Sending results of video recording
• Sending pictures taken from the device’s camera
• Searching for a specific file
• Taking screenshots
• Deleting files
• Uploading an application to the device and asking the user to install it
• Pushing a file to the device or pulling one from it

After this information is gathered, the corresponding log is compressed, encrypted, sent to the server and deleted from the device itself:

 

Command and Control

We monitored the servers which were used in this attack and were able to gain access to uploaded files as well as statistics about the number of victims in different campaigns. The files were divided into three main categories:

Functions: Commands sent by the threat actor to infected devices.

Files: Encrypted stolen files or recordings.

Uploads: Encrypted structured logs from victims.

These files revealed the nature of the targeted victims and the regions which the threat actor focused their activity on. Moreover, they contained not only personal and sensitive information about the victims themselves, but also about the people they were in touch with, as the malicious applications were monitoring phone calls, SMS messages, and much more.

Files

Although a directory is created for each victim’s UUID in the “files” section, usually those directories are empty. It appears as if the threat actor prefers to delete any screenshots or recordings they managed to get their hands on immediately after uploading them to the server.

There were exceptions to this rule, as encrypted voice recordings from some devices were apparently forgotten and were available to us for investigation.

In newer versions of the malicious applications the stolen recordings were 10 minutes long each, whereas previous ones only lasted for a few seconds.

Uploads

Uploads are logs that are divided according to the data type they collect. Each log starts with a different character that indicates what their content is. The fields stored in the log are separated by a unique delimiter, “~~~”.

The first and “simplest” log is usually the one which identifies the victim and their device, which is referred to as the “HardwareInfo”. This log starts with the character “v”, and some of the fields it contains are:

– Device ID
– Device Model
– Network Operator
– Network Operator Country
– Malicious Application Name
– Malicious Application Serial Number
– Malicious Application Version

The different log types and their identifying characters are:

Log Type	Identifying Character
Call Log	]
Browser History	d
SMS Messages	Z
Contact List	P
Hardware Information	v
Accounts	s
File System Dump	S

 

Functions

Functions (or commands) are divided into six categories: Get, Set, Take, Reset, Time and Delete. They also use the “~~~” delimiter for separating parameters and “===” for separating commands.

Before collecting any logs or files from the infected device, the malicious applications send a request to the following URL in order to find out if there are any commands they should perform:

<server_address>/get-function.php?uuid=<device_uuid>

If the UUID is valid, the server can respond with a command from the previous six categories, or with a “NoCommand”.

The “Get” commands are usually things such as “Get~AllFile=”, “Get~AllContact=”, or “Get~AllCall=”, but other times the threat actor can be interested in obtaining only specific files or images.

For example, in one case the logs showed an attempt to get media exchanged in messaging applications such as images and videos, but also chat history back up files from WhatsApp and recorded audio messages from Telegram:

In other cases, names of files and documents were specified in the commands. Those files can be anything from MP3 songs and MP4 videos, to Power Point presentations and Word documents:

The “Delete” command is most likely a feature that was implemented to cover the traces of any malicious behavior. However, only two logs of deleting commands were found in the different servers, one of which removed media files from Telegram, and the other log deleted an SMS message:

There are no other logs from the device which this message was deleted from, therefore we cannot find out what the threat actor was trying to conceal from the victim. From the application code itself, we can tell that in addition to deleting messages and files, this command can also be used to delete phone call history.

The “Take” command is used to take photos (Take~~~Photo) or record videos (Take~~~Video) using the phone’s camera, record surrounding voice records (Take~~~Audio) and even record phone calls:

 

A phone number can also be provided as a parameter in the “Take” command, which will record phone calls to and from this number.

The “Reset” command changes the application’s settings back to their default, after they were changed by the previous commands. For example, if the “Take” command monitors a phone number for incoming and outgoing calls, the “Reset” command will remove this number and stop the application from recording.

“Time” receives another command and performs it at the chosen time given as the first parameter:

Lastly, the “Set” command can change the application settings, such as the default username or the data being logged:

Interestingly enough, some of the “Set” commands we found from the beginning of 2018 changed the server contacted by one of the applications, and helped reveal additional C&Cs which were used by this campaign in the past:

Wider Infrastructure

The domain appsoftupdate[.]com resolved to the IP address 198.50.220[.]44, and although both are no longer accessible, the domain has WHOIS information which supposedly belongs to an individual from Turkey called Loren Maoo:

The e-mail address (ja.sh@gmx[.]com) was used to register eight other domains besides appsoftupdate[.]com. In addition, it is associated with the following names: Jasem Karar, Maycel Wee, Mishell Loren and Tati Barich. One of the other domains (mobileupdateapp[.]com) revealed the older variant of the malicious applications in question, which was seen in the wild back in 2016.

Conclusions

Cyber espionage campaigns of clear political orientation can be observed worldwide these days, and we could expect to see a sharp rise in their appearance as time and technology progresses. The Domestic Kitten operation stands out due to its capabilities and its targets. While we have already witnessed Iran executing aggressive campaigns against its global enemies (the United States, Israel and Persian Gulf countries), it seems that Iran is investing primary efforts and resources to other targets as well – its own citizens. Browser data, which could reveal your opinions and aspirations; Photos and GPS signals, which can reveal your whereabouts; Surrounding recordings, which can reveal your deepest secrets and relationships. All of those are accessible to the campaigns managers based on this operation.

 

Appendix

Application Name	Code Name	Translation/Description	Target Audience	Version
Telegram X	User180408	–	Generic	5.6.0
VPN USA (Turbo)	UUU	–	Generic	5.2.0
Pornhub	TOOTFarangi	–	Generic	5.4.0
MoboChat	Shahram-mobo-hidn	–	Generic	5.4.0
PVid	Sharam	–	Generic	5.4.0
MVids	RezaShahmoradi	–	Generic	5.4.0
Vidogram	RazaMoradi	–	Generic	5.4.0
Sata Salary	Fish2	–	Generic	5.2.0
Google Service Updater	M.S.D.GooglePlay	–	Generic	5.3.0
SuperVPN	User180506	–	Generic	5.6.0
Moblie Security	Mobilesecurity_oth	–	Generic	5.6.0
Vibration Alarm	Majzelzele	–	Generic	5.2.0
Psiphon Pro	Siphonpro1	–	Generic	5.2.0
Thunder VPN	Thunder VPN	–	Generic	5.6.0
Islamic Ringtones	Islamic rington	–	Generic	5.6.0
NASA	User 180820	–	Generic	5.6.0
Sexy Bikini Girl	bikini	–	Generic	5.0.0
Kurdish Flag	Sangi4	–	Kurdish Speakers	–
Free Kurdish Radio	Sangi1	–	Kurdish Speakers	5.0.0
Kurdistan Wallpaper	Sangi2	–	Kurdish Speakers	5.0.0
Hewalekem	Rahim Hawshar	Kurdish News	Kurdish Speakers	5.4.0
Pepule	Majpolpepule960927	Kurdish TV Channel	Kurdish Speakers	5.2.0
روژ ژمیری کوردی	Majpolkurdi960927	Kurdish Calendar	Kurdish Speakers	5.2.0
پرچم کردستان	Sangi4	Kurdistan Flag	Kurdish Speakers	5.0.0
اشعار كوردى	Sher-kordi	Kurdish Poetry	Kurdish Speakers	–
ناوه جوانه کانی خودا	Asma kordi	Names of God in Kurdish	Kurdish Speakers	–
عاشقانه كوردى	Asheghaneh-kordi	Romantic Kurdish	Kurdish Speakers	–
پیامک نوروزی	payamak 96	Nowruz SMS	Persian Speakers	–
ازدواج موقت محصنين	Ezdevaj	Temporary Marriage	Persian Speakers	5.6.0
همراه بانک ملت	Melat	Mellat Mobile Bank	Persian Speakers	5.2.0
Manoto	Majid	Persian TV Channel	Persian Speakers	–
اسلحه شناسى	WEAPON	Firearms Maker	Persian Speakers	6.0.0
شاهنامه فردوسى	Shahnameh3	Shahnameh poem by Ferdosi	Persian Speakers	–
زندگانی پیامبر	Zendeganipayambar	The Life of the Prophet	Persian Speakers	–
حافظ	HAFEZ——-	Hafez (A Persian Poet)	Persian Speakers	–
Military News	Militarynews-TAHRENIA	Tehran Military News	Persian Speakers	–
تلگرام مدرن	Telmodern	Modern Telegram	Persian Speakers	5.2.0
قوانين ارتش	Ghavanin2	Army Rules	Persian Speakers	5.2.0
حافظ نامه	Hafeznameh	Hafez Nameh (A Persian Book)	Persian Speakers	5.6.0
گنج نامه	Ganjnameh	Ganjnameh (Inscription in Iran)	Persian Speakers	–
ارتشبد آريا	arteshbodarya	Aria Army Officer	Persian Speakers	5.2.0
شیپور	Sheypoor	Trumpet	Persian Speakers	–
Professor Javad Lesani	Lesani1	Iranian Martial Artist	Persian Speakers	5.6.0
ارتباط وچت با نامحرم	Gonbad	Relationship and Chat with Unnamed Person	Persian Speakers	–
بلوچ وبلوچستان	balochestan	Baloch and Balochistan	Persian Speakers	–
زن و تمدن	Zan va tamadon	Women and Civilization	Persian Speakers	–
جملات ناب آنتونى رابينز	Antoni rabinz	Anthony Robbins Quotes	Persian Speakers	–
متن رو عکس	Matn Ro Aks	Picture Text	Persian Speakers	–
جهاددر اسلام	Jahad	Jihad in Islam	Persian Speakers	–
عقيده قدسى	Aghideh	Holy Belief	Persian Speakers	–
ردشبهات برادران	Shobahat shiayan	Reject the Doubts of the Brothers	Persian Speakers	–
فوائد تقوا	Taghva	Benefits of Virtue	Persian Speakers	–
دار العلوم ديوبند	Deyouband	Darul Uloom Islamic School	Persian Speakers	–
بادصبا	Toolbox	BadeSaba Persian Calendar	Persian Speakers	–
كيك	K0008	Kik	Arabic Speakers	5.2.0
حتى تكون ناجحا	BOOK10008	To Be Successful	Arabic Speakers	5.2.0
مفتاح النجاح	BOOK3009	Key to Success	Arabic Speakers	5.2.0
اقوى رسائل اعتذار	24	Best Apology Messages	Arabic Speakers	5.2.0
أخيرا اكتشفت السعادة	Book2008	Finally Discovered Happiness	Arabic Speakers	5.2.0
رمزيات اعتذار واسف	BOOK5F5F5F	Apologies and Regrets	Arabic Speakers	5.2.0
تيليجرام	T0009	Telegram	Arabic Speakers	5.2.0
Omar Farouq (Sallabi)2	Omar farough		Arabic Speakers	–
Fatwas-Ibntaimiah	Ebn taimiah	Ibn Taimah’s Fatwas	Arabic Speakers	5.6.0
شروط لا اله الا الله	Daesh9	Shahadah Conditions	Arabic Speakers	–
تفسير ابن كثير	Daesh4	Ibn Kathir Explanation	Arabic Speakers	5.6.0
Asma’ al-husna	Daesh4	Names of God	Arabic Speakers	5.0.0
Ayat – Al Quran	Quran	Verses from the Quraan	Arabic Speakers	–
جميع الأحاديث النبوية الشريفة	Ahadisnabavi	All of the Prophet’s Hadiths	Arabic Speakers	–
شيخ الإسلام مولانا عبدالحميد	Abdolhamid	Islam Sheikh Abdul Hamid	Arabic Speakers	5.6.0
ادعية ليلة القدر	User180607	Laylat Al-Qadr Prayers	Arabic Speakers	5.2.0
Azkari	Azkar	Prayers	Arabic Speakers	5.6.0
الاذان بأعذب الاصوات	Asvat	Adhan in the Sweetest Voices	Arabic Speakers	–
وصايا الرسول 55 وصية	BOOK BOOK	Prophet’s 55 Commandments	Arabic Speakers	5.2.0
وصايا الرسول كاملة بدون انترنت	BOOK1010	Full Prophet Commandments (No Internet Needed)	Arabic Speakers	5.2.0
حصن المسلم	BOOK42008	Muslim Fortification	Arabic Speakers	5.2.0
دولة خلافة الاسلامية	Daesh1	Muslim Caliphate Country	ISIS Supporters	–

 

Domains registered by ja.sh@gmx[.]com:

cofe-clip[.]com
wprmi[.]com
updateprocesses[.]com
nevisa-co[.]com
cartoonize-co[.]com
hinews24[.]com
wgtray[.]com
appdevelopment-co[.]com
appsoftupdate[.]com
mobileupdateapp[.]com