Domestic Kitten – An Inside Look at the Iranian Surveillance Operations

February 8, 2021

Overview

Despite the reveal of “Domestic Kitten” by Check Point in 2018, APT-C-50 has not stopped conducting extensive surveillance operations against Iranian citizens that could pose a threat to the stability of the Iranian regime, including internal dissidents, opposition forces, ISIS advocates, the Kurdish minority in Iran, and more.
In this paper, Check Point Research reveals the extent of the operations, the multiple campaigns executed by APT-C-50, their delivery methods, and an analysis of the targeted individuals. In addition, we provide a technical analysis of the FurBall malware used since the beginning of the operation, its origin, and observed covers used to conceal the malware’s true nature.

General

Check Point researchers recently uncovered the full extent of Domestic Kitten’s  extensive surveillance operation against Iranian citizens that could pose a threat to the stability of the Iranian regime. The operation itself is linked to the Iranian government, and executed by APT-C-50.
Starting in 2017, this operation, consisting of 10 unique campaigns, targeted over 1,200 individuals with more than 600 successful infections.  It includes 4 currently active campaigns, the most recent of which began in November 2020.
In these campaigns, victims are lured to install a malicious application by multiple vectors, including an Iranian blog site, Telegram channels, and even by SMS with a link to the malicious application.
The capabilities of the Domestic Kitten malware (which we are calling FurBall), include: collecting device identifiers, grabbing SMS messages and call logs, surround recording with the device microphone, call recording, stealing media files (such as videos and photos), obtaining a list of installed applications, tracking the device location, stealing files from the external storage, and more. For a full list of commands, see the Technical Analysis section.

Campaigns & Victims

Almost all of the campaigns we observed use the same infrastructure that Domestic Kitten used back in 2018, the C&C hXXp://www[.]firmwaresystemupdate[.]com. We differentiate between campaigns by the URI segment of the C&C server. For example, in the most recent campaign the full C&C address is hXXp://www[.]firmwaresystemupdate[.]com/hass (which we call the ‘hass’ campaign for obvious reasons).

Campaign

Start End
hass November 2020 Currently active
or May 2020 June 2020
mat December 2019 July 2020
hj May 2019 April 2020
oth June 2018 Currently active
hr October 2017 November 2017
maj October 2017 June 2019
mmh July 2017 Currently active
msd June 2017 Currently active

grt

June 2017

September 2019

Figure 1 – Domestic Kitten Campaign list

 

FurBall uses a large variety of covers to mask its malicious intentions. A few prominent covers include:

  • VIPRE Mobile Security – A fake mobile security application.
  • ISIS Amaq – A news outlet for the Amaq news agency.
  • Exotic Flowers – A repackaged version of a game from Google Play.
  • MyKet – An Android application store.
  • Iranian Woman Ninja – A wallpaper application.

In the newest ‘hass’ campaign, APT-C-50 mimics an application for the restaurant “Mohsen Restaurant” which is located in Tehran. Covers of the ‘mmh’ campaign include an ISIS supporter application and a repackaged version of ‘Exotic Flowers’ from Google Play.

Figure 2 – FurBall Mohsen ;hass’

 

       

Figure 3 – FurBall Repacked ‘Exotic Flowers’ cover, and an ISIS supported cover

A full list of the covers is provided in Appendix 1 – FurBall Covers.

The methods used to deliver FurBall applications to victims also varies from one campaign to another. In some campaigns, we observed SMS messages with a link to download the malware, while in others an Iranian blog site hosted the payload.  In another campaign, we assume that the application was shared in a Telegram channel.

Figure 4 – The Iranian blog hosting FurBall

We were able to identify victims of the Domestic Kitten operation from various places around the globe, including Iran, the United States, Great Britain, Pakistan, Afghanistan, Turkey, and more.

 

Figure 5 – Victims distribution by Country

Figure 6 – Successful attacks by date and campaign

We traced 2 unique IPs that connected to the malware’s C&C server. We assume that those IPs are used to send instructions to the server: 94.182.215.98 and 188.158.60.100. According to ip2location.com, both IPs reside in Iran, the first in Tehran, and the second in Karaj.

Figure 7 – IP2Location’s output

FurBall – Technical Analysis

Upon execution, the first thing Furball does is to allow execution of the application on the device startup. To achieve this, FurBall starts its code on a receiver that listens for the BOOT_COMPLETED event, which in turn calls to the ‘startService’ method to initiate everything that is needed for the malware’s functionality.

Figure 8 – BOOT_COMPLETED receiver

 

Figure 9 – The startService method

In addition, this piece of code also initializes a ‘settings’ object, which contains the configuration for FurBall: which C&C to connect to, another back-up C&C address, flags to allow functionality, frequency for C&C pulling commands, and more.

Figure 10 – FurBall configuration

After initialization, FurBall creates 3 threads.

The first periodically sends media files such as videos, photos, and call records to the server, with a default frequency of every 20 seconds. The remaining 2 threads are keep-alive threads that communicate with <C&C Address>/<campaign>/answer.php. We assume this allows the threat actors to see which devices are currently active.

The next step for FurBall is to initialize the Command Manager. This component pulls commands from the C&C by requesting the <C&C>/<campaign>/get-function.php and awaits commands. Each command is delimited by the “===”string, and the arguments are delimited by the “~~~” string.

Command Action
NoCommand No command.
Time Gets device local time.
Set Sets a configuration parameter given as the first argument, to a specific value given as the second argument.
Get Gets data given as an argument from the infected device. The list below includes all possible Get arguments.
Get~~~AllLog Gets log files
Get~~~AllNotif Gets all notifications
Get~~~AllContact Gets all contacts.
Get~~~AllFile Gets the names of all files on the device from the SD card root.
Get~~~AllSms Gets all SMS.
Get~~~AllCall Gets call logs.
Get~~~AllApp Gets a list of all installed applications on the device.
Get~~~AllBrowser Gest all browsing history.
Get~~~AllAccount Gest a list of all user accounts stored on the device.
Get~~~AllSettings Gets the settings for FurBall.
Get~~~Location Gets the current location of the device.
Get~~~HardwareInfo Gets hardware information on the device.
Get~~~File Gets a specific file and upload it to <C&C>/<campaign>/upload-file.php
Take Allows the actor to perform actions on the device itself. The list below shows all possible arguments for the Take command.
Take~~~Audio Starts audio recording with the microphone for a given amount of time.
Take~~~Video Starts a video recording using camera ID specified as a parameter for a given amount of time.
Take~~RecordCall Starts recording calls from this point on.
Delete~~~SMS Deletes all SMS from the “HiddenNumber” parameter in the configuration.
Delete~~~Call Deletes all calls from the “HiddenNumber” parameter in the configuration.
Delete~~~File Deletes files from provided paths.
Reset~~~AllCommand Deletes all logs and media files, resets to a “default” configuration.

Figure 11 – FurBall possible commands

Figure 12 – the Command Manager listening for commands

Figure 13 – Command Manager parsing commands

After all initializations, it’s time to start collecting the initial data on the device. FurBall collects the following data on startup:

  • Hardware Information
  • Contacts
  • Call logs
  • Accounts
  • Browser history
  • File list on the SD card

 

 

Figure 14 – the sendStartup method

 

After collecting initial data on the device, FurBall initialize two other components. The first one is a clipboard monitor which monitors the clipboard content (where data is stored when it’s “copied”), and the other collects info about the top-most application’s activity.

Figure 15 – Clipboard monitor

Figure 16 – Top-most application monitor

The last significant component that is used by FurBall is the Notification Observer Service, a service that is based on the NotificationListenerService and allows FurBall to access all notifications received by the device.

Figure 17 – NotificationObserverService

While investigating the new version of Domestic Kitten’s FurBall, we noticed that FurBall is actually based on a commercially available parental control software called KidLogger . As FurBall shares a lot of infrastructure code with KidLogger, it seems that the developers used the KidLogger source-code available on github.

A few noticeable differences between KidLogger and FurBall:

  • FurBall has a configuration update mechanism that is not present in KidLogger.
  • FurBall is based on plain threads, while KidLogger is based on services.

Figure 18 – Code similarity between FurBall and KidLogger

Demo

We were able to mimic the command and control server’s behavior and provide a potential use-case against a fictional target.

https://www.youtube.com/watch?v=lpsS3g0xZIU&feature=youtu.be

 

How to protect yourself

Check Point SandBlast Mobile is the market-leading Mobile Threat Defense (MTD) solution, providing the widest range of capabilities to help you secure your mobile workforce.
SandBlast Mobile provides protection for all mobile vectors of attack, including the download of malicious applications and applications with malware embedded in them.
Learn more.

 

Appendix 1 – FurBall Covers:

Package name Cover
com.intense.pub1.sbgs Islamic Caliphate
com.clem.isisnews ISIS News Watch
com.majorityapps.exoticflowers Repacked “Exotic Flowers” from Google Play.
com.ssd.vipre Fake security product
com.apps.amaq Amaq News Agency Application
air.com.arsnetworks.poems.moshiri Persian poems
air.com.arsnetworks.poems.sohrab Persian poems
com.nidayehaq Religious application
com.ramadan.kareem.app Ramadan Pictures
ir.hukmi.moanzalalloh “Judgment by what Alla has revealed”
org.microemu.android.ir.mjface.toolkit.Midlet “Omar Farouq”
com.hamgaam.shahnamef “The Book of Kings”
ir.korosh.kabir “Cyrus the Great”
ir.hawijapp.myhafez Persian poems
com.kabood.koroshkabir “Cyrus the Great”
com.andriod.browser Fake “mobile secured browser”
ir.mservices.market Application market for Android
com.mohsen Mohsen restaurant mimic

Appendix 2 – IOCs:

b1df569ad4686e16ec0c661733d56778f59cdb78207a3c2ad66df9b9828c84ab
68a1452172636b081873b9f7c1ae3794035c4ff50d5538b656caf07016b74d07
02d6ca25b2057f181af96d2837486b26231eaa496defdf39785b5222014ef209
290d70472f4b00a1cf01f5c1311aacffaa39057bb1c826c99419999ccef7ae53
039fc34ace1012eff687f864369540b9085b167f0d66023f3b94f280a7fdf8b7
7f603216a0a7bae2c8cec65a800608ac22cfff8cd98c699677e44d36267a9798
54479fbb2f3c8c16714e526925537e738b1b586310c8d15ce10f33327392e879
d90168d1f3568b5909d2e14288300ede298f6c663b51e883e7eb5d8d70277423
ccef7ca705b899fe337eda462d38216c414c0cfe41052dec102c8f6d8876ad8a
8324266e25d6a8dbc6e561e035b9e713c3bd339ba9bb5e5b9d4f0821a0262510
3d41830f943c31f69eb6ed7804cc18b289ba2172d258bd118a8503d120318d63
53e00f1e8d2d6aa2d8a0eda2bf2d924fbc6f67db12ac3238d7c4b4520de7fadc
ca730b8b355e44919629a958d940e77eb1b4cd0c1bbe2ab94a963222f2723f57
f1728125f37ca8738b19b418a3fe896e9bdcde5aed6559db3eea55f4e17602c4
5787723b2221464337e6bbe4200aab912f1f711447224e4e6c4c96c451ff41bf
e069bcd473c83b937db46243dd53e8856b5be6d0ade880c0ec61107054a7e32e
48d642c2c77eeabff36249c59ce397a9ee5f3d825d735f839c5c05939499406e
1dc12c6a44852023f1687f9f31a9e58dc7ce96d492a58a3e87dec5aa8f45ba92
4580980a6fb65ea1501464d36306c24d341189e84500562c5a3ac844f9a79525
a5b5f6027b463d82fded3c38153086d5accc466df33123070ea541e62124b943
a3797856766fef6651f8c679febd12378fc3196c5cc74923d90377045107700d
9156f5bd322306c9038a3bc830e53e7b13c272e121fb70b3b8d7d9968fb97e4f
88d03e683c01d9979c752844579bd367892edbbdc876b03df8e1d09412f761c5
bd7779e6100e07b3eae67bfcdc53f1f08468651240229e284cca60e2b953496b
62a48bcb2d2f22017ce67b853654903464c19892a07a3c0ca020048cb049f0cd

e7a6925f0fe03108b965a3cf9f2fe1204add376ecde68bafd872e9d828d762e9

53ed971b48ae0b2ff6bcdd7bf4e8970d6eac3e7cdcd3ae6fa05860b9e5ac58ee

firmwaresystemupdate[.]com

appsoftupdate[.]com