Domestic Kitten – An Inside Look at the Iranian Surveillance OperationsFebruary 8, 2021
Despite the reveal of “Domestic Kitten” by Check Point in 2018, APT-C-50 has not stopped conducting extensive surveillance operations against Iranian citizens that could pose a threat to the stability of the Iranian regime, including internal dissidents, opposition forces, ISIS advocates, the Kurdish minority in Iran, and more.
In this paper, Check Point Research reveals the extent of the operations, the multiple campaigns executed by APT-C-50, their delivery methods, and an analysis of the targeted individuals. In addition, we provide a technical analysis of the FurBall malware used since the beginning of the operation, its origin, and observed covers used to conceal the malware’s true nature.
Check Point researchers recently uncovered the full extent of Domestic Kitten’s extensive surveillance operation against Iranian citizens that could pose a threat to the stability of the Iranian regime. The operation itself is linked to the Iranian government, and executed by APT-C-50.
Starting in 2017, this operation, consisting of 10 unique campaigns, targeted over 1,200 individuals with more than 600 successful infections. It includes 4 currently active campaigns, the most recent of which began in November 2020.
In these campaigns, victims are lured to install a malicious application by multiple vectors, including an Iranian blog site, Telegram channels, and even by SMS with a link to the malicious application.
The capabilities of the Domestic Kitten malware (which we are calling FurBall), include: collecting device identifiers, grabbing SMS messages and call logs, surround recording with the device microphone, call recording, stealing media files (such as videos and photos), obtaining a list of installed applications, tracking the device location, stealing files from the external storage, and more. For a full list of commands, see the Technical Analysis section.
Campaigns & Victims
Almost all of the campaigns we observed use the same infrastructure that Domestic Kitten used back in 2018, the C&C hXXp://www[.]firmwaresystemupdate[.]com. We differentiate between campaigns by the URI segment of the C&C server. For example, in the most recent campaign the full C&C address is hXXp://www[.]firmwaresystemupdate[.]com/hass (which we call the ‘hass’ campaign for obvious reasons).
|hass||November 2020||Currently active|
|or||May 2020||June 2020|
|mat||December 2019||July 2020|
|hj||May 2019||April 2020|
|oth||June 2018||Currently active|
|hr||October 2017||November 2017|
|maj||October 2017||June 2019|
|mmh||July 2017||Currently active|
|msd||June 2017||Currently active|
Figure 1 – Domestic Kitten Campaign list
FurBall uses a large variety of covers to mask its malicious intentions. A few prominent covers include:
- VIPRE Mobile Security – A fake mobile security application.
- ISIS Amaq – A news outlet for the Amaq news agency.
- Exotic Flowers – A repackaged version of a game from Google Play.
- MyKet – An Android application store.
- Iranian Woman Ninja – A wallpaper application.
In the newest ‘hass’ campaign, APT-C-50 mimics an application for the restaurant “Mohsen Restaurant” which is located in Tehran. Covers of the ‘mmh’ campaign include an ISIS supporter application and a repackaged version of ‘Exotic Flowers’ from Google Play.
Figure 2 – FurBall Mohsen ;hass’
Figure 3 – FurBall Repacked ‘Exotic Flowers’ cover, and an ISIS supported cover
A full list of the covers is provided in Appendix 1 – FurBall Covers.
The methods used to deliver FurBall applications to victims also varies from one campaign to another. In some campaigns, we observed SMS messages with a link to download the malware, while in others an Iranian blog site hosted the payload. In another campaign, we assume that the application was shared in a Telegram channel.
Figure 4 – The Iranian blog hosting FurBall
We were able to identify victims of the Domestic Kitten operation from various places around the globe, including Iran, the United States, Great Britain, Pakistan, Afghanistan, Turkey, and more.
Figure 5 – Victims distribution by Country
Figure 6 – Successful attacks by date and campaign
We traced 2 unique IPs that connected to the malware’s C&C server. We assume that those IPs are used to send instructions to the server: 220.127.116.11 and 18.104.22.168. According to ip2location.com, both IPs reside in Iran, the first in Tehran, and the second in Karaj.
Figure 7 – IP2Location’s output
FurBall – Technical Analysis
Upon execution, the first thing Furball does is to allow execution of the application on the device startup. To achieve this, FurBall starts its code on a receiver that listens for the BOOT_COMPLETED event, which in turn calls to the ‘startService’ method to initiate everything that is needed for the malware’s functionality.
Figure 8 – BOOT_COMPLETED receiver
Figure 9 – The startService method
In addition, this piece of code also initializes a ‘settings’ object, which contains the configuration for FurBall: which C&C to connect to, another back-up C&C address, flags to allow functionality, frequency for C&C pulling commands, and more.
Figure 10 – FurBall configuration
After initialization, FurBall creates 3 threads.
The first periodically sends media files such as videos, photos, and call records to the server, with a default frequency of every 20 seconds. The remaining 2 threads are keep-alive threads that communicate with <C&C Address>/<campaign>/answer.php. We assume this allows the threat actors to see which devices are currently active.
The next step for FurBall is to initialize the Command Manager. This component pulls commands from the C&C by requesting the <C&C>/<campaign>/get-function.php and awaits commands. Each command is delimited by the “===”string, and the arguments are delimited by the “~~~” string.
|Time||Gets device local time.|
|Set||Sets a configuration parameter given as the first argument, to a specific value given as the second argument.|
|Get||Gets data given as an argument from the infected device. The list below includes all possible Get arguments.|
|Get~~~AllLog||Gets log files|
|Get~~~AllNotif||Gets all notifications|
|Get~~~AllContact||Gets all contacts.|
|Get~~~AllFile||Gets the names of all files on the device from the SD card root.|
|Get~~~AllSms||Gets all SMS.|
|Get~~~AllCall||Gets call logs.|
|Get~~~AllApp||Gets a list of all installed applications on the device.|
|Get~~~AllBrowser||Gest all browsing history.|
|Get~~~AllAccount||Gest a list of all user accounts stored on the device.|
|Get~~~AllSettings||Gets the settings for FurBall.|
|Get~~~Location||Gets the current location of the device.|
|Get~~~HardwareInfo||Gets hardware information on the device.|
|Get~~~File||Gets a specific file and upload it to <C&C>/<campaign>/upload-file.php|
|Take||Allows the actor to perform actions on the device itself. The list below shows all possible arguments for the Take command.|
|Take~~~Audio||Starts audio recording with the microphone for a given amount of time.|
|Take~~~Video||Starts a video recording using camera ID specified as a parameter for a given amount of time.|
|Take~~RecordCall||Starts recording calls from this point on.|
|Delete~~~SMS||Deletes all SMS from the “HiddenNumber” parameter in the configuration.|
|Delete~~~Call||Deletes all calls from the “HiddenNumber” parameter in the configuration.|
|Delete~~~File||Deletes files from provided paths.|
|Reset~~~AllCommand||Deletes all logs and media files, resets to a “default” configuration.|
Figure 11 – FurBall possible commands
Figure 12 – the Command Manager listening for commands
After all initializations, it’s time to start collecting the initial data on the device. FurBall collects the following data on startup:
- Hardware Information
- Call logs
- Browser history
- File list on the SD card
Figure 14 – the sendStartup method
After collecting initial data on the device, FurBall initialize two other components. The first one is a clipboard monitor which monitors the clipboard content (where data is stored when it’s “copied”), and the other collects info about the top-most application’s activity.
Figure 15 – Clipboard monitor
Figure 16 – Top-most application monitor
The last significant component that is used by FurBall is the Notification Observer Service, a service that is based on the NotificationListenerService and allows FurBall to access all notifications received by the device.
Figure 17 – NotificationObserverService
While investigating the new version of Domestic Kitten’s FurBall, we noticed that FurBall is actually based on a commercially available parental control software called KidLogger . As FurBall shares a lot of infrastructure code with KidLogger, it seems that the developers used the KidLogger source-code available on github.
A few noticeable differences between KidLogger and FurBall:
- FurBall has a configuration update mechanism that is not present in KidLogger.
- FurBall is based on plain threads, while KidLogger is based on services.
Figure 18 – Code similarity between FurBall and KidLogger
We were able to mimic the command and control server’s behavior and provide a potential use-case against a fictional target.
How to protect yourself
Check Point SandBlast Mobile is the market-leading Mobile Threat Defense (MTD) solution, providing the widest range of capabilities to help you secure your mobile workforce.
SandBlast Mobile provides protection for all mobile vectors of attack, including the download of malicious applications and applications with malware embedded in them.
Appendix 1 – FurBall Covers:
|com.clem.isisnews||ISIS News Watch|
|com.majorityapps.exoticflowers||Repacked “Exotic Flowers” from Google Play.|
|com.ssd.vipre||Fake security product|
|com.apps.amaq||Amaq News Agency Application|
|ir.hukmi.moanzalalloh||“Judgment by what Alla has revealed”|
|com.hamgaam.shahnamef||“The Book of Kings”|
|ir.korosh.kabir||“Cyrus the Great”|
|com.kabood.koroshkabir||“Cyrus the Great”|
|com.andriod.browser||Fake “mobile secured browser”|
|ir.mservices.market||Application market for Android|
|com.mohsen||Mohsen restaurant mimic|
Appendix 2 – IOCs: