FurBall Malware

FurBall Malware Description

The FurBall Malware has been observed as part of the latest attack operations of the Advanced Persistent Threat (APT) group Domestic Kitten, also known as ATP-50 and ATP-C-50. The hackers from Domestic Kitten are believed to be state-sponsored by the Iranian government and have been active since at least 2018. The group appears to be going after Iranian dissidents or 'citizens that could pose a threat to the stability of the Iranian regime,' as described by the researchers that monitor the operations of Domestic Kitten. The targeted individuals can include journalists, lawyers, and civil rights activists. Victims of the group have been detected in multiple countries across the globe - Iran, the US, the UK, Pakistan, Afghanistan, Turkey and Uzbekistan.

In their latest campaign, Domestic Kitten deploys a malware threat named FurBall Malware. It is capable of recording calls and other background sounds, accessing the GPS location of the breached device, collecting device identifier, as well as harvesting text messages and call logs, media files, photos and videos. The capabilities of the threat also include collecting files from external storage locations.

Analysis of FurBall Malware's code shows that the threat was build by borrowing heavily from a commercially-available monitoring application called KidLogger. The extensive similarities point towards the hackers either managing to obtain the source code of the application or investing significant efforts into reverse-engineering it. Domestic Kitten got rid of the features that didn't align with their threatening purposes and then added additional functionalities in their place.

The delivery of the threat was achieved through several different methods. The hackers employed phishing tactics, Telegram channels, Iranian websites, and even distributed SMS with a link to the FurBall Malware. In turn, the threat itself attempts to avoid raising any suspicion by pretending to be a 'VIPRE' mobile security or by assuming the identity of legitimate applications available on the Google Play store such as mobile games, wallpaper applications, restaurant services, etc.