Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.

Domestic Kitten campaign spying on Iranian citizens with new FurBall malware

October 20, 2022

APT-C-50’s Residential Kittycat project proceeds, targeting Iranian residents with a brand-new variation of the FurBall malware impersonating as an Android translation application

ESET scientists just recently recognized a brand-new variation of the Android malware FurBall being utilized in a Residential Kittycat project carried out by the APT-C-50 team. The Residential Kittycat project is recognized to carry out mobile monitoring procedures versus Iranian residents as well as this brand-new FurBall variation is no various in its targeting. Given that June 2021, it has actually been dispersed as a translation application using an imitator of an Iranian web site that offers converted posts, journals, as well as publications. The destructive application was submitted to VirusTotal where it set off among our YARA policies (utilized to categorize as well as determine malware examples), which provided us the chance to examine it.

This variation of FurBall has the exact same monitoring performance as previous variations; nonetheless, the risk stars somewhat obfuscated course as well as approach names, strings, logs, as well as web server URIs. This upgrade necessary little modifications on the C&C web server too– exactly, names of server-side PHP manuscripts. Given that the performance of this variation hasn’t altered, the primary function of this upgrade seems to stay clear of discovery by safety and security software application. These alterations have actually had no result on ESET software application, nonetheless; ESET items discover this risk as Android/Spy. Agent.BWS.

The examined example demands just one invasive consent– to gain access to calls. The factor can be its goal to remain under the radar; on the various other hand, we likewise assume it could indicate it is simply the coming before stage, of a spearphishing assault carried out using sms message. If the risk star broadens the application approvals, it would certainly likewise can exfiltrating various other kinds of information from impacted phones, such as SMS messages, gadget place, tape-recorded telephone call, as well as a lot more.

Bottom line of this blogpost:

  • The Residential Kittycat project is recurring, going back to a minimum of 2016.
  • It primarily targets Iranian residents.
  • We uncovered a brand-new, obfuscated Android Furball example utilized in the project.
  • It is dispersed utilizing a copycat web site.
  • The examined example has just limited snooping performance made it possible for, to remain under the radar.

Residential Kittycat summary

The APT-C-50 team, in its Residential Kittycat project, has actually been performing mobile monitoring procedures versus Iranian residents considering that 2016, as reported by Check Point in 2018. In 2019, Trend Micro recognized a destructive project, perhaps linked to Residential Kittycat, targeting the Center East, calling the project Jumping Golf. Quickly after, in the exact same year, Qianxin reported a Residential Kittycat project once again targeting Iran. In 2020, 360 Core Security revealed monitoring tasks of Residential Kittycat targeting anti-government teams between East. The last well-known openly readily available record is from 2021 by Check Point.

FurBall– Android malware utilized in this procedure considering that these projects started– is produced based upon the business stalkerware device KidLogger. It appears that the FurBall programmers were motivated by the open-source variation from 7 years ago that is readily available on Github, as explained by Check Point.


This destructive Android application is provided using a phony web site simulating a legit website that offers posts as well as publications converted from English to Persian ( Based upon the get in touch with details from the reputable web site, they give this solution from Iran, which leads us to think with high self-confidence that the copycat web site targets Iranian residents. The function of the imitator is to provide an Android application for download after clicking a switch that states, in Persian, “Download and install the application”. The switch has the Google Play logo design, yet this application is not readily available from the Google Play shop; it is downloaded and install straight from the enemy’s web server. The application was submitted to VirusTotal where it set off among our YARA policies.

In Number 1 you can see a contrast of the phony as well as reputable internet sites.

Number 1. Phony web site (left) vs the reputable one (right)

Based Upon the last changed details that is readily available in the APK download’s open directory site on the phony web site (see Number 2), we can presume that this application has actually been readily available for download a minimum of considering that June 21 st, 2021.

Number 2. Open up directory site details for the destructive application


This example is not totally functioning malware, although all spyware performance is applied as in its previous variations. Not every one of its spyware performance can be implemented, nonetheless, due to the fact that the application is restricted by the approvals specified in its AndroidManifest.xml If the risk star broadens the application approvals, it would certainly likewise can exfiltrating:

  • message from clipboard,
  • gadget place,
  • SMS messages,
  • calls,
  • phone call logs,
  • tape-recorded telephone call,
  • message of all notices from various other applications,
  • gadget accounts,
  • checklist of documents on gadget,
  • running applications,
  • checklist of mounted applications, as well as
  • gadget information.

It can likewise get commands to take images as well as document video clip, with the outcomes being submitted to the C&C web server. The Furball alternative downloaded and install from the copycat web site can still get commands from its C&C; nonetheless, it can just do these features:

  • exfiltrate get in touch with checklist,
  • obtain obtainable documents from outside storage space,
  • checklist mounted applications,
  • get standard details regarding the gadget, as well as
  • obtain gadget accounts (checklist of customer accounts synced with gadget).

Number 3 reveals consent demands that do require to be approved by the customer. These approvals could not develop a perception of being a spyware application, particularly considered that it impersonates a translation application.

Number 3. Listing of asked for approvals

After setup, Furball makes an HTTP demand to its C&C web server every 10 secs, requesting commands to implement, as can be seen in the top panel of Number 4. The reduced panel shows a “there’s absolutely nothing to do currently” action from the C&C web server.

Number 4. Interaction with C&C web server

These most current examples have no brand-new functions applied, with the exception of the reality that the code has easy obfuscation used. Obfuscation can be identified in course names, approach names, some strings, logs, as well as web server URI courses (which would certainly likewise have actually needed little modifications on the backend). Number 5 contrasts the course names of the older Furball variation as well as the brand-new variation, with obfuscation.

Number 5. Contrast of course names of the older variation (left) as well as brand-new variation (right)

Number 6 as well as Number 7 show the earlier sendPost as well as brand-new sndPst features, highlighting the modifications that this obfuscation demands.

Number 6. Older non-obfuscated variation of code

Number 7. The current code obfuscation

These primary modifications, because of this easy obfuscation, led to less discoveries on VirusTotal. We contrasted the discovery prices of the example uncovered by Check Point from February 2021 (Number 8) with the obfuscated variation readily available considering that June 2021 (Number 9).

Number 8. Non-obfuscated variation of the malware identified by 28/64 engines

Number 9. Obfuscated variation of the malware identified by 4/63 engines when very first submitted to VirusTotal


The Residential Kittycat project is still energetic, utilizing copycat internet sites to target Iranian residents. The driver’s objective has actually altered somewhat from dispersing full-featured Android spyware to a lighter variation, as explained over. It demands just one invasive consent– to gain access to calls– more than likely to remain under the radar as well as not to bring in the uncertainty of possible sufferers throughout the setup procedure. This likewise could be the initial stage of collecting calls that can by complied with by spearphishing using sms message.

Besides minimizing its energetic application performance, the malware authors attempted to reduce the variety of discoveries by applying an easy code obfuscation system to conceal their intensions from mobile safety and security software application.


SHA-1 Bundle Call ESET discovery name Summary
BF482E86D512DA46126F0E61733BCA4352620176 com.getdoc.freepaaper.dissertation Android/Spy. Agent.BWS Malware posing سرای مقاله (translation: Post Home) application.

MITRE ATT&CK methods

This table was constructed utilizing version 10 of the ATT&CK structure.

Method ID Call Summary
First Accessibility T1476 Supply Destructive Application using Various Other Method FurBall is provided using straight download web links behind phony Google Play switches.
T1444 Pose as Legitimate Application Copycat web site offers web links to download and install FurBall.
Perseverance T1402 Program Receivers FurBall gets the BOOT_COMPLETED program intent to turn on at gadget start-up.
Exploration T1418 Application Exploration FurBall can get a listing of mounted applications.
T1426 System Info Exploration FurBall can remove details regarding the gadget consisting of gadget kind, OS variation, as well as distinct ID.
Collection T1432 Accessibility Get In Touch With Listing FurBall can remove the target’s get in touch with checklist.
T1533 Information from Regional System FurBall can remove obtainable documents from outside storage space.
Command as well as Control T1436 Frequently Utilized Port FurBall interacts with C&C web server utilizing HTTP method.
Exfiltration T1437 Typical Application Layer Procedure FurBall exfiltrates gathered information over conventional HTTP method.
Posted in SecurityTags:
Write a comment