Fox Kitten
Associated Group Descriptions |
|
Name | Description |
---|---|
UNC757 | (Citation: CISA AA20-259A Iran-Based Actor September 2020)(Citation: CrowdStrike PIONEER KITTEN August 2020) |
Pioneer Kitten | (Citation: CrowdStrike PIONEER KITTEN August 2020)(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
Parisite | (Citation: Dragos PARISITE )(Citation: ClearkSky Fox Kitten February 2020)(Citation: CrowdStrike PIONEER KITTEN August 2020) |
RUBIDIUM | (Citation: Microsoft Threat Actor Naming July 2023) |
Lemon Sandstorm | (Citation: Microsoft Threat Actor Naming July 2023) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .001 | Account Discovery: Local Account |
Fox Kitten has accessed ntuser.dat and UserClass.dat on compromised hosts.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
.002 | Account Discovery: Domain Account |
Fox Kitten has used the Softerra LDAP browser to browse documentation on service accounts.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
||
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
Fox Kitten has used 7-Zip to archive data.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Fox Kitten has used PowerShell scripts to access credential data.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Fox Kitten has used cmd.exe likely as a password changing mechanism.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
||
Enterprise | T1136 | .001 | Create Account: Local Account |
Fox Kitten has created a local user account with administrator privileges.(Citation: ClearSky Pay2Kitten December 2020) |
Enterprise | T1555 | .005 | Credentials from Password Stores: Password Managers |
Fox Kitten has used scripts to access credential information from the KeePass database.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
Enterprise | T1213 | .005 | Data from Information Repositories: Messaging Applications |
Fox Kitten has accessed victim security and IT environments and Microsoft Teams to mine valuable information.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
Enterprise | T1585 | .001 | Establish Accounts: Social Media Accounts |
Fox Kitten has used a Twitter account to communicate with ransomware victims.(Citation: ClearSky Pay2Kitten December 2020) |
Enterprise | T1546 | .008 | Event Triggered Execution: Accessibility Features |
Fox Kitten has used sticky keys to launch a command prompt.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Fox Kitten has named the task for a reverse proxy lpupdate to appear legitimate.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
.005 | Masquerading: Match Legitimate Name or Location |
Fox Kitten has named binaries and configuration files svhost and dllhost respectively to appear legitimate.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
||
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Fox Kitten has used prodump to dump credentials from LSASS.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
.003 | OS Credential Dumping: NTDS |
Fox Kitten has used Volume Shadow Copy to access credential information from NTDS.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
||
Enterprise | T1027 | .010 | Obfuscated Files or Information: Command Obfuscation |
Fox Kitten has base64 encoded scripts to avoid detection.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
Fox Kitten has base64 encoded payloads to avoid detection.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
||
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Fox Kitten has used RDP to log in and move laterally in the target environment.(Citation: CISA AA20-259A Iran-Based Actor September 2020)(Citation: ClearSky Pay2Kitten December 2020) |
.002 | Remote Services: SMB/Windows Admin Shares |
Fox Kitten has used valid accounts to access SMB shares.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
||
.004 | Remote Services: SSH |
Fox Kitten has used the PuTTY and Plink tools for lateral movement.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
||
.005 | Remote Services: VNC |
Fox Kitten has installed TightVNC server and client on compromised servers and endpoints for lateral movement.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Fox Kitten has used Scheduled Tasks for persistence and to load and execute a reverse proxy binary.(Citation: CISA AA20-259A Iran-Based Actor September 2020)(Citation: ClearSky Pay2Kitten December 2020) |
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
Fox Kitten has installed web shells on compromised hosts to maintain access.(Citation: CISA AA20-259A Iran-Based Actor September 2020)(Citation: ClearSky Pay2Kitten December 2020) |
Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
Fox Kitten has accessed files to gain valid credentials.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
Software |
|||
ID | Name | References | Techniques |
---|---|---|---|
S0508 | ngrok | (Citation: CrowdStrike PIONEER KITTEN August 2020) (Citation: Cyware Ngrok May 2019) (Citation: FireEye Maze May 2020) (Citation: MalwareBytes LazyScripter Feb 2021) (Citation: Zdnet Ngrok September 2018) | Proxy, Exfiltration Over Web Service, Domain Generation Algorithms, Web Service, Protocol Tunneling |
S0020 | China Chopper | (Citation: CISA AA20-259A Iran-Based Actor September 2020) (Citation: CISA AA21-200A APT40 July 2021) (Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018) (Citation: Lee 2013) (Citation: Rapid7 HAFNIUM Mar 2021) | Password Guessing, Data from Local System, Software Packing, Windows Command Shell, Web Protocols, Ingress Tool Transfer, Network Service Discovery, Timestomp, Web Shell, File and Directory Discovery |
S0556 | Pay2Key | (Citation: Check Point Pay2Key November 2020) (Citation: ClearkSky Fox Kitten February 2020) | Internal Proxy, Asymmetric Cryptography, Service Stop, File Deletion, Non-Application Layer Protocol, System Information Discovery, Data Encrypted for Impact, System Network Configuration Discovery |
S9000 | Ngrok | (Citation: CrowdStrike PIONEER KITTEN August 2020) | Protocol Tunneling, Domain Generation Algorithms, Exfiltration Over Web Service, Proxy, Web Service |
S0029 | PsExec | (Citation: Check Point Pay2Key November 2020) (Citation: CISA AA20-259A Iran-Based Actor September 2020) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) | SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account |
References
- Orleans, A. (2020, August 31). Who Is PIONEER KITTEN?. Retrieved December 21, 2020.
- CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
- ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020.
- ClearSky. (2020, February 16). Fox Kitten – Widespread Iranian Espionage-Offensive Campaign. Retrieved December 21, 2020.
- Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021.
- Dragos. (n.d.). PARISITE. Retrieved December 21, 2020.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.