Researchers Share Technical Details on the Fox Kitten Cyberespionage Campaign

  • It is orchestrated against companies from the IT, telecom, old & gas, aviation, government, and security sectors globally.
  • The campaign has been running for at least three years.

Several companies have been targeted as part of the widespread Iran-linked Fox Kitten offensive campaign. The campaign, which has been running for at least three years, has been orchestrated against companies from the IT, telecoms, old & gas, aviation, government, and security sectors globally.

Which threat actor groups are involved?

A new report published by Israeli cybersecurity firm ClearSky has revealed that the purpose of the hacker groups involved in the campaign is to infiltrate and take control of critical corporate information. In the last three years, they have managed to do so by exploiting known vulnerabilities in systems with unpatched VPN and RDP services.

Researchers claim it to the be work of at least three Iranian groups - namely APT33 (Elfin, Shamoon), APT34 (Oilrig), and APT39 (Chafer).

The campaign infrastructure was used for the following purposes:

  • To develop and maintain access routes to the targeted organizations;
  • To steal valuable information from the targeted organizations;
  • To maintain a long-lasting foothold at the targeted organizations;
  • To breach additional companies through supply-chain attacks.

What’s new about the ongoing campaign?

Currently, the purpose of these attacks appears to perform reconnaissance and plant backdoors for surveillance operations. Researchers fear that access to all of these infected enterprise networks could also be weaponized in the future to deploy data-wiping malware.

Additionally, the groups have developed good technical offensive capabilities and are now able to exploit 1-day vulnerabilities in relatively short periods of time, starting from several hours to a week or two.

Types of hacking tools used in the campaign

The list of privilege escalation tools used by hackers includes ‘Juicy Potato,’ Procdump, Mimikatz, and Sticky Keys.

The threat actors also leveraged legitimate sysadmin software like Putty, Plink, Ngrok, Serveo or FRP to infiltrate corporate networks.

ClearSky’s further investigation also found tools like:

  • STSRCheck - Self-developed databases and open ports mapping tool.
  • POWSSHNET - Self-developed backdoor malware for RDP-over-SSH tunneling.
  • Custom VBScripts - Scripts to download TXT files from the command-and-control (C2or C&C) server and unify these files into a portable executable file.
  • Socket-based backdoor over cs.exe - An EXE file used to open a socket-based connection to a hardcoded IP address.
  • Port.exe - Tool to scan predefined ports for an IP address.

How widespread is the campaign?

Researchers claim that the campaign will be more significant in 2020 as there will be a discovery of new vulnerabilities in VPNs and other remote systems. This means that Iranian hackers will most likely target SonicWall SRA and SMA VPN servers in the future as these products are impacted by six vulnerabilities.