A new version of the Android malware "FurBall" has been discovered to be used by the threat actor(s) known as Domestic Kitten in a campaign targeting Iranian citizens in a mobile surveillance operation.
Domestic Kitten, also known as the APT-C-50 group, has been spying on Iranian citizens since 2016 with various campaigns targeting anti-government protestors throughout the Middle East. FurBall has been used since June 2021 to distribute a fraudulent translation app that mimics an Iranian website which provides translated articles, journals, and books.
However, this recent version of FurBall that was discovered is slightly different from what Domestic Kitten has used in the past, according to ESET malware researcher Lukas Stefanko.
This version has similar spyware functionality as before, except "the threat actors slightly obfuscated class and method names, strings, logs, and server URIs." Stefanko believes the main purpose of this update was to try to avoid detection from security software, which has not worked out too well for the threat actors.
The fake app was uploaded to VirusTotal, triggering an investigation from ESET, which detected the threat as Android/Spy.Agent.BWS.
You can see the difference between the real and fake websites in the screenshot below, with the fake on the left and real on the right:
The fake website has a button to click which says "Download the application" in Persian. Though it has the Google Play logo, the app is not available in the Google Play store and downloads directly from Domestic Kitten's server.
The sample analyzed by ESET researchers is not fully working malware; it only requests one intrusive permission, to access contacts, even though previous versions had fully functioning spyware.
Researchers believe the purpose of this could be to set up a larger spearphishing attack conducted via text messages. In its limited functionality, the app can exfiltrate contacts, get accessible files from external storage, list installed apps, obtain basic information about the device, and get device accounts (list of user accounts synced with device).
Though, Domestic Kitten could expand the app permissions, allowing it to access all sorts of things, including:
• text from clipboard
• device location
• SMS messages
• contacts
• call logs
• recorded phone calls
• text of all notifications from other apps
• device accounts
• list of files on device
• running apps
• list of installed apps
• device info
See the story from ESET's Lukas Stefanko for more information on FurBall and Domestic Kitten.
Iranian cyber actors draw international attention
Albania announced in September it would be severing all diplomatic relations with Iran after a cyberattack in July targeted the government's digital infrastructure and public services.
Prime Minister Edi Rama shared in a video message that the "heavy cyberattack" aimed to destroy critical systems, but the attack failed in its purpose. The damages were considered minimal compared to what could have been achieved by the state-sponsored threat actor.
This led the United States government, along with Australia, Canada, and the U.K., to sanction 10 individuals and two entities associated with Iran's Islamic Revolutionary Guard Corps (IRGC) for their participation in malicious cyber activity.
Follow SecureWorld News for more stories related to cybersecurity.