Domestic Kitten

Description

(Check Point) Recent investigations by Check Point researchers reveal an extensive and targeted attack that has been taking place since 2016 and, until now, has remained under the radar due to the artful deception of its attackers towards their targets. Through the use of mobile applications, those behind the attack use fake decoy content to entice their victims to download such applications, which are in fact loaded with spyware, to then collect sensitive information about them. Interestingly, these targets include Kurdish and Turkish natives and ISIS supporters. Most interesting of all, though, is that all these targets are actually Iranians citizens.

Considering the nature of the target, the data collected about these groups provides those behind the campaign with highly valuable information that will no doubt be leveraged in further future action against them. Indeed, the malware collects data including contact lists stored on the victim’s mobile device, phone call records, SMS messages, browser history and bookmarks, geo-location of the victim, photos, surrounding voice recordings and more.

The targets are Kurdish and Turkish natives and ISIS supporters.

Names

Name	Name-Giver
Domestic Kitten	Check Point
APT-C-50	Check Point
Bouncing Golf	Trend Micro

Country

• Iran

Sponsor

State-sponsored

Motivation

• Information theft and espionage

First Seen

2016

Observed Countries

• Afghanistan
• Iran
• Iraq
• Pakistan
• Turkey
• UK
• USA
• Uzbekistan

Tools

• FurBall
• GolfSpy

Operations

• 2019-06: Mobile Campaign ‘Bouncing Golf’ Affects Middle East https://www.trendmicro.com/en_us/research/19/f/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.html
• 2020-11: This operation consists of 10 unique campaigns, which have targeted over 1,200 individuals with more than 600 successful infections. It includes 4 currently active campaigns, the most recent of which began in November 2020. https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/
• 2022-10: Domestic Kitten campaign spying on Iranian citizens with new FurBall malware https://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/

Information

• https://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/

Mitre Attack

• https://attack.mitre.org/groups/G0097/

Other Information

Uuid

624ad02b-d8c3-4873-93a4-28d9811b55d5

Last Card Change

2022-12-31