Fox Kitten
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| UNC757 | (Citation: CISA AA20-259A Iran-Based Actor September 2020)(Citation: CrowdStrike PIONEER KITTEN August 2020) |
| Pioneer Kitten | (Citation: CrowdStrike PIONEER KITTEN August 2020)(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
| Parisite | (Citation: Dragos PARISITE )(Citation: ClearkSky Fox Kitten February 2020)(Citation: CrowdStrike PIONEER KITTEN August 2020) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
Fox Kitten has accessed ntuser.dat and UserClass.dat on compromised hosts.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
| .002 | Account Discovery: Domain Account |
Fox Kitten has used the Softerra LDAP browser to browse documentation on service accounts.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
||
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
Fox Kitten has used 7-Zip to archive data.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Fox Kitten has used PowerShell scripts to access credential data.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Fox Kitten has used cmd.exe likely as a password changing mechanism.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
||
| Enterprise | T1136 | .001 | Create Account: Local Account |
Fox Kitten has created a local user account with administrator privileges.(Citation: ClearSky Pay2Kitten December 2020) |
| Enterprise | T1555 | .005 | Credentials from Password Stores: Password Managers |
Fox Kitten has used scripts to access credential information from the KeePass database.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
| Enterprise | T1585 | .001 | Establish Accounts: Social Media Accounts |
Fox Kitten has used a Twitter account to communicate with ransomware victims.(Citation: ClearSky Pay2Kitten December 2020) |
| Enterprise | T1546 | .008 | Event Triggered Execution: Accessibility Features |
Fox Kitten has used sticky keys to launch a command prompt.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Fox Kitten has named the task for a reverse proxy lpupdate to appear legitimate.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
| .005 | Masquerading: Match Legitimate Name or Location |
Fox Kitten has named binaries and configuration files svhost and dllhost respectively to appear legitimate.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
||
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Fox Kitten has used prodump to dump credentials from LSASS.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
| .003 | OS Credential Dumping: NTDS |
Fox Kitten has used Volume Shadow Copy to access credential information from NTDS.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
||
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Fox Kitten has used RDP to log in and move laterally in the target environment.(Citation: CISA AA20-259A Iran-Based Actor September 2020)(Citation: ClearSky Pay2Kitten December 2020) |
| .002 | Remote Services: SMB/Windows Admin Shares |
Fox Kitten has used valid accounts to access SMB shares.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
||
| .004 | Remote Services: SSH |
Fox Kitten has used the PuTTY and Plink tools for lateral movement.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
||
| .005 | Remote Services: VNC |
Fox Kitten has installed TightVNC server and client on compromised servers and endpoints for lateral movement.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
||
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Fox Kitten has used Scheduled Tasks for persistence and to load and execute a reverse proxy binary.(Citation: CISA AA20-259A Iran-Based Actor September 2020)(Citation: ClearSky Pay2Kitten December 2020) |
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
Fox Kitten has installed web shells on compromised hosts to maintain access.(Citation: CISA AA20-259A Iran-Based Actor September 2020)(Citation: ClearSky Pay2Kitten December 2020) |
| Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
Fox Kitten has accessed files to gain valid credentials.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
Software |
|||
| ID | Name | References | Techniques |
|---|---|---|---|
| S0020 | China Chopper | (Citation: CISA AA20-259A Iran-Based Actor September 2020) (Citation: CISA AA21-200A APT40 July 2021) (Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018) (Citation: Lee 2013) | Password Guessing, Data from Local System, Software Packing, Windows Command Shell, Web Protocols, Ingress Tool Transfer, Network Service Discovery, Timestomp, Web Shell, File and Directory Discovery |
| S0556 | Pay2Key | (Citation: Check Point Pay2Key November 2020) (Citation: ClearkSky Fox Kitten February 2020) | Internal Proxy, Asymmetric Cryptography, Service Stop, File Deletion, Non-Application Layer Protocol, System Information Discovery, Data Encrypted for Impact, System Network Configuration Discovery |
| S0508 | Ngrok | (Citation: CrowdStrike PIONEER KITTEN August 2020) (Citation: Cyware Ngrok May 2019) (Citation: FireEye Maze May 2020) (Citation: MalwareBytes LazyScripter Feb 2021) (Citation: Zdnet Ngrok September 2018) | Protocol Tunneling, Domain Generation Algorithms, Exfiltration Over Web Service, Proxy, Web Service |
| S0029 | PsExec | (Citation: Check Point Pay2Key November 2020) (Citation: CISA AA20-259A Iran-Based Actor September 2020) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) | SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account |
References
- CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
- ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020.
- ClearSky. (2020, February 16). Fox Kitten – Widespread Iranian Espionage-Offensive Campaign. Retrieved December 21, 2020.
- Dragos. (n.d.). PARISITE. Retrieved December 21, 2020.
- Orleans, A. (2020, August 31). Who Is PIONEER KITTEN?. Retrieved December 21, 2020.
- Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.