Ferocious Kitten, an APT group based in Iran, is actively targeting Iranians. The group is using malicious documents to deliver MarkiRAT that records keystrokes and clipboard content.

Two suspicious documents were uploaded to VirusTotal in July 2020 and March, that are apparently operated by the same attackers. 

One of the documents is Romantic Solidarity With Lovers of Freedom2[.]doc and included malicious macros along with an odd decoy message trying to persuade the victim to enable its content. Both documents drop malicious exes to the targeted system and show messages against the regime in Iran. 

Some of the TTPs recently used by Ferocious Kitten share a resemblance to other active threat groups attacking similar sets of targets, for example, Rampant Kitten and Domestic Kitten.

About MarkiRAT

MarkiRAT has been traced back to at least 2015. It has variants designed to attain persistence in Telegram and Chrome applications.

The internal name of the implant is mklg, which is visible in the PDB paths used in the executable binaries. This name possibly stands for ‘Mark KeyLogGer’, where Mark could be used as an internal HTML tag. It has file download and upload capabilities and can execute arbitrary commands on the victim machine. In addition, it can receive commands via C2 and execute them.

Final Thoughts

Ferocious Kitten is a threat actor that operates with an aim to track individuals in Iran. Although its toolset is not too sophisticated, it is a well-skilled group. The group is, moreover, trying to enhance its arsenal with new tools to make its attacks more successful.