Domestic Kitten Surveillance Campaign
Domestic Kitten is the name given to a spyware campaign which Check Point believes originates from within Iran and has primarily targeted Iranian citizens. The campaign operates by attempting to entice victims into downloading mobile apps which are spyware. The apps Check Point analyzed were an ISIS themed wallpaper changer, an app which provides updates from the ANF Kurdistan news agency and a fake version of a messaging app named Vidogram.
All the apps use the same certificate which has the email address telecom2016@yahoo.com associated with it. Once installed, the spyware is capable of gathering significant information from the victim device and then transfers the data to its C&C servers via HTTP POST requests.
Check Point report that they believe that there may be around 240 victims of this campaign with some 97% of the victims being Iranian citizens. The remaining victims are located in Iraq, Afghanistan and the UK.
Victims are lured into downloading applications which is believed to be of interest to them. The applications researchers discovered included an ISIS branded wallpaper changer, “updates” from the ANF Kurdistan news agency and a fake version of the messaging app, Vidogram.
Indicators of Compromise
c168f3ea7d0e2cee91612bf86c5d95167d26e69c
0fafeb1cbcd6b19c46a72a26a4b8e3ed588e385f
f1355dfe633f9e1350887c31c67490d928f4feec
d1f70c47c016f8a544ef240487187c2e8ea78339
162[.]248[.]247[.]172
190[.]2[.]144[.]140
190[.]2[.]145[.]145
89[.]38[.]98[.]49
Firmwaresystemupdate[.]com
Stevenwentz[.]com
Ronaldlubbers[.]site
Georgethompson[.]space
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.