Fox Kitten

Introduction

Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. Fox Kitten has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering. ClearkSky Fox Kitten February 2020 CrowdStrike PIONEER KITTEN August 2020 Dragos PARISITE ClearSky Pay2Kitten December 2020

Activities and Tactics

Country of Origin: 🇮🇷 Iran

Notable Campaigns

• Pay2Key

Tactics, Techniques, and Procedures (TTPs)

• T1105 Ingress Tool Transfer
• T1059 Command and Scripting Interpreter
• T1530 Data from Cloud Storage
• T1018 Remote System Discovery
• T1110 Brute Force
• T1210 Exploitation of Remote Services
• T1136.001 Local Account
• T1560.001 Archive via Utility
• T1027.010 Command Obfuscation
• T1005 Data from Local System
• T1585 Establish Accounts
• T1021.005 VNC
• T1552.001 Credentials In Files
• T1217 Browser Information Discovery
• T1059.003 Windows Command Shell
• T1027.013 Encrypted/Encoded File
• T1213.005 Messaging Applications
• T1021.002 SMB/Windows Admin Shares
• T1190 Exploit Public-Facing Application
• T1555.005 Password Managers
• T1003.003 NTDS
• T1087.001 Local Account
• T1087.002 Domain Account
• T1021.004 SSH
• T1505.003 Web Shell
• T1053.005 Scheduled Task
• T1036.004 Masquerade Task or Service
• T1003.001 LSASS Memory
• T1090 Proxy
• T1012 Query Registry
• T1572 Protocol Tunneling
• T1021.001 Remote Desktop Protocol
• T1102 Web Service
• T1039 Data from Network Shared Drive
• T1078 Valid Accounts
• T1046 Network Service Discovery
• T1546.008 Accessibility Features
• T1585.001 Social Media Accounts
• T1036.005 Match Legitimate Resource Name or Location
• T1059.001 PowerShell
• T1083 File and Directory Discovery

Ransomware Vulnerability Matrix observations

ATT&CK technique IDs (denormalized)

• T1003.001
• T1003.003
• T1005
• T1012
• T1018
• T1021.001
• T1021.002
• T1021.004
• T1021.005
• T1027.010
• T1027.013
• T1036.004
• T1036.005
• T1039
• T1046
• T1053.005
• T1059
• T1059.001
• T1059.003
• T1078
• T1083
• T1087.001
• T1087.002
• T1090
• T1102
• T1105
• T1110
• T1136.001
• T1190
• T1210
• T1213.005
• T1217
• T1505.003
• T1530
• T1546.008
• T1552.001
• T1555.005
• T1560.001
• T1572
• T1585
• T1585.001

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

• SSHNET:
• Juicy Potato:
• Port:
• STSRCHECK:
• LPManager:
• Invoke-SMBClient:
• Invoke-SMBEnum:
• Invoke-SMBExec:
• Invoke-TheHash:
• Invoke-WMIExec:
• SOCKET-Based Backdoor:
• Ngrok:
• Pay2Key ransomware:
• FRPC:

MITRE ATT&CK Software

• China Chopper (S0020) — malware
• Pay2Key (S0556) — malware
• ngrok (S0508) — tool
• PsExec (S0029) — tool
• SystemBC (S9001) — malware

Attribution and Evidence

Country of Origin: Iran Additional attribution information pending cataloguing.

References

[1] mitre-attack [7] CISA AA20-259A Iran-Based Actor September 2020 CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. [8] ClearSky Pay2Kitten December 2020 ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020. [9] ClearkSky Fox Kitten February 2020 ClearSky. (2020, February 16). Fox Kitten – Widespread Iranian Espionage-Offensive Campaign. Retrieved December 21, 2020. [10] Dragos PARISITE Dragos. (n.d.). PARISITE. Retrieved December 21, 2020. [11] Microsoft Threat Actor Naming July 2023 Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. [12] CrowdStrike PIONEER KITTEN August 2020 Orleans, A. (2020, August 31). Who Is PIONEER KITTEN?. Retrieved December 21, 2020.