FurBall Uses Copycat Websites in Domestic Kitten campaign

What’s happening?

• FurBall is being distributed via the copy of legitimate Iranian websites of an Iranian website that provides translated articles, journals, and books.
• The website has a fake translation app that is downloaded as an APK file (named sarayemaghale.apk) directly from the attacker’s server.
• To lure victims, the campaign operators used various threat vectors such as direct messages, social media posts, emails, SMS, black SEO, and SEO poisoning.

FurBall’s added functionalities

• The newest malware version comes with code obfuscation tactics, including using obfuscated class names, strings, logs, and server URI paths. 
• In addition, FurBall has small changes on the C&C server as the server-side PHP scripts are named differently.
• This version is only requesting access to contacts and storage media, which helps stay away from the security radar. Moreover, it has limited spying functionality enabled, to evade detection.

History of Domestic Kitten

• The operation was first reported in 2018, targeting Kurdish and Turkish natives and ISIS supporters.
• Subsequently, in 2019, 2020, and 2021, many other malicious campaigns were identified with connection to Domestic Kitten.

Conclusion