2020-02-16 Fox Kitten – Widespread Iranian Espionage-Offensive Campaign

📃Title: Fox Kitten – Widespread Iranian Espionage-Offensive Campaign
📅Date: 2020-02-16
🔗References:

• https://www.clearskysec.com/fox-kitten/
• https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: TA-profile
• target: targeted
• MY-relevancy: relevant

🔖MISP Galaxies:

• threat-actor Fox-Kitten
• target-information=“Australia”
• target-information=“Austria”
• target-information=“Finland”
• target-information=“France”
• target-information=“Germany”
• target-information=“Hungary”
• target-information=“Israel”
• target-information=“Italy”
• target-information=“Kuwait”
• target-information=“Lebanon”
• target-information=“Malaysia”
• target-information=“Poland”
• target-information=“Saudi Arabia”
• target-information=“United Arab Emirates”
• target-information=“United States”
• malpedia=“JuicyPotato”
• mitre-enterprise-attack-tool=“Mimikatz - S0002”
• mitre-tool=“Mimikatz - S0002”
• country=“iran”
• mitre-attack-pattern=[‘T1136’, ‘T1081’, ‘T1094’, ‘T1002’, ‘T1074’, ‘T1068’, ‘T1133’, ‘T1105’, ‘T1046’, ‘T1075’, ‘T1086’, ‘T1090’, ‘T1076’, ‘T1021’, ‘T1064’, ‘T1065’, ‘T1102’, ‘T1100’, ‘T1059’, ‘T1003’]

MISP event uuid: 7463105c-9e41-4f9e-af45-eab5b7b3ef96

Indicator of Compromise (IoCs)

type,value,comment
md5, 9dc9bbd0c6b0a946489ccd8793d22f28, 'Webshell – GIF file No sample in VT\r\nLast check:25/02/2025'
md5, ac9993f1124d404a08531df9a0ae28c9, 'Combine.bat No sample in VT\r\nLast check:25/02/2025'
md5, 95ee534f32f305a895a1842898a4880e, 'HEX in TXT No sample in VT\r\nLast check:25/02/2025'
md5, 62de35201acc8833e04221d9343e73e0, 'HEX in TXT No sample in VT\r\nLast check:25/02/2025'
md5, 7819bf37930edcdbb74b0535bc12558c, 'HEX in TXT No sample in VT\r\nLast check:25/02/2025'
md5, 06d882d4c601a086f3b0f13d5f756830, 'HEX in TXT No sample in VT\r\nLast check:25/02/2025'
md5, 5def1ab33ddf4455aaf8b7b70ad69e04, 'HEX in TXT No sample in VT\r\nLast check:25/02/2025'
md5, 3741f987c9bd14263ffb4824dce8c147, 'Down VBS No sample in VT\r\nLast check:25/02/2025'
md5, 5c9d14c8eef4e9b8c0b4bd0d28c5a77a, 'Down VBS No sample in VT\r\nLast check:25/02/2025'
md5, 94a47463e0b8d52aec5e90a5177e0a9b, 'V VBS No sample in VT\r\nLast check:25/02/2025'
md5, 54603feea3c4f3585011a5940c2f6b6f, 'V VBS No sample in VT\r\nLast check:25/02/2025'
md5, 3587cabf61366a7b5f0ba0d63d009b36, 'V VBS No sample in VT\r\nLast check:25/02/2025'
md5, f9103618c1b86e073b89ce28ba2679cc, 'V VBS No sample in VT\r\nLast check:25/02/2025'
md5, 5c67064f8fd83fdcceab49728495c3f4, 'LPManager (Schtask) No sample in VT\r\nLast check:25/02/2025'
md5, 364f57928fc5fb0019b73f3fbd57f99b, 'STSRCHECK No sample in VT\r\nLast check:25/02/2025'
ip-dst, 18.221.150.202, 'Not Unique – Non-Malicious - Ngrok'
ip-dst, 185.32.178.176, 'Not Unique – Non-Malicious - Webshell'
ip-dst, 93.177.75.180, 'Unique – Malicious IP - C&C Rotten Fish'
ip-dst, 95.211.210.55, 'Unique – Malicious IP - C&C RDP over SSH Backdoor - 2017'
ip-dst, 95.211.213.168, 'Unique – Malicious IP - C&C RDP over SSH Backdoor - 2017'
ip-dst, 95.211.213.177, 'Unique – Malicious IP - C&C RDP over SSH Backdoor - 2017'
ip-dst, 95.211.104.253, 'Unique – Malicious IP - C&C communication SOCKET'

Full IOCs available in Rectifyq's MISP```