Rampant Kitten – An Iranian Espionage Campaign
By lotemf
Published: 2020-09-18 · Archived: 2026-04-11 02:22:09 UTC
Introduction
Check Point Research unraveled an ongoing surveillance operation by Iranian entities that has been targeting
Iranian expats and dissidents for years. While some individual sightings of this attack were previously reported by
other researchers and journalists, our investigation allowed us to connect the different campaigns and attribute
them to the same attackers.
Among the different attack vectors we found were:
Four variants of Windows infostealers intended to steal the victim’s personal documents as well as access
to their Telegram Desktop and KeePass account information
Android backdoor that extracts two-factor authentication codes from SMS messages, records the phone’s
voice surroundings and more
Telegram phishing pages, distributed using fake Telegram service accounts
The above tools and methods appear to be mainly used against Iranian minorities, anti-regime
organizations and resistance movements such as:
Association of Families of Camp Ashraf and Liberty Residents (AFALR)
Azerbaijan National Resistance Organization
Balochistan people
Table of Contents
Initial Infection
Infection Chain
Payload Analysis
Telegram Structure Basics
Configuration
C&C Communication
Persistence
Infrastructure and Connections
Android Backdoor
Telegram Phishing
Payload Delivery
Possible Additional Delivery Vectors
Attribution
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 1 of 59
Attack Origin
Political Targeting
Conclusion
Technical Appendix
PC Backdoor Variants Analysis
TelB Variant
TelAndExt Variant
Python Info-stealer Variant
HookInjEx Variant
Android Backdoor Analysis
Indicators of Compromise
Initial Infection
We first encountered a document with the name شورشی_کانونهای_گسرتش_از_رژیم_وحشت.docx , which roughly
translates to The Regime Fears the Spread of the Revolutionary Cannons.docx . The title of the document was
in fact referring to the ongoing struggle between the Iranian regime and the Revolutionary Cannons, a Mujahedin-e Khalq movement.
Mujahedin-e Khalq, or The People’s Mujahedin of Iran, is an anti-regime organization whose aim is to free Iran
from its current leadership. In 1986, Mujahedin-e Khalq (MEK) started building their new headquarters, which
later became known as Camp Ashraf, near the Iraqi town of Khalis. However, years of political tension in Iraq
eventually led to the transfer of the camp’s residents to a new, remote, and unlikely destination: Albania.
The above document leverages the external template technique, allowing it to load a document template from a
remote server, which in this case was afalr-sharepoint[.]com .
Figure 1: Remote template
Curious by this website, we set out to discover more about it. At first, we found a handful of tweets from accounts
opposing the Iranian regime mentioning a very similar SharePoint site, which the website in the document was
likely impersonating:
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 2 of 59
Figure 2: Tweets mentioning similar website
Figure 3: AFALR’s official website
Infection Chain
After the victim opens the document and the remote template is downloaded, the malicious macro code in the
template executes a batch script which tries to download and execute the next stage payload from afalr-sharepoint[.]com :
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 3 of 59
Figure 4: Infection chain
The payload then checks if Telegram is installed on the infected machine, and if so it proceeds to extract three
additional executables from its resources:
BOBC3953C59DA7870 – Loader, executed by RunDLL , injects the main payload into explorer.exe
CO9D5A739B85C37C1 – Infostealer payload
Updater.exe – Modified Telegram updater
Payload Analysis
The main features of the malware include:
Information Stealer
Uploads relevant Telegram files from victim’s computer. These files allow the attackers to make full
usage of the victim’s Telegram account
Steals information from KeePass application
Uploads any file it could find which ends with pre-defined extensions
Logs clipboard data and takes desktop screenshots
Module Downloader
Downloads and installs several additional modules.
Unique Persistence
Implements a persistence mechanism based on Telegram’s internal update procedure
Telegram structure basics
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 4 of 59
First, let us review how Telegram Desktop organizes its files. The following is an ordinary Telegram file structure
which can normally be found at %APPDATA%\Roaming\Telegram Desktop .
Figure 5: Telegram Desktop directory structure
As explained above, several files are dropped to the Telegram working directory during the infection chain. The
dropped files are in a directory named 03A4B68E98C17164s , which looks like a file at first glance because of a
custom Desktop.ini file, but it is actually a directory.
Figure 6: Infected Telegram Desktop directory
Configuration
One of payload’s resources contains encoded configuration data.
The encoding scheme uses the regular Base64 algorithm but with a custom index table:
eBaEFGHOQRS789TUYZdCfPbDIJ+/KLMNwxyzquv0op123VWXghijmnkl45rst6Ac .
Decoding that resource gives us the following configuration:
Key Value
AES encryption
key
ssher54276@@5!!
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 5 of 59
File suffixes .txt;.csv;.kdbx;.xls;.xlsx;.ppt;.pptx;
SOAP username 9BEF4B32-0D40-4A92-9E35-6094B8AA8B58
SOAP password D5F69342-A3CC-438F-B3B6-5E7BF6B6E327
Main C&C
hxxps://www.afalr-sharepoint[.]com/B6D9E741-DFE3-4470-9174-
C95FB2B958AD/TelBService.asmx
Backup C&C
hxxps://www.afalr-onedrive[.]com/B6D9E741-DFE3-4470-9174-
C95FB2B958AD/TelBService.asmx
C&C Communication
The malware uses SOAP for its communication purposes. SOAP is a simple XML-based data structure for web-service communication. The API in SOAP web-services is public and can be observed by accessing the website
from a browser:
Figure 7: SOAP API in C&C website
The messages (commands) can be divided into the following categories:
Authentication:
HelloWorld – Authentication message
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 6 of 59
Module Downloader:
DownloadFileSize – Checks whether a module should be downloaded
DownloadFile – Downloads a module from the remote server
Data Exfiltration:
UploadFileExist – Checks whether a specific victim file has been uploaded
UploadFile – Uploads a specific victim file
Authentication
The first message for a valid communication tunnel should be HelloWorld , which implements a simple
Username/Password authentication. The credentials are hard-coded in the sample, and the SOAP response for that
message contains a session ID which must be used for the remainder of the session.
Module Downloader
The program tries fetching updates for its current modules and also download several additional modules.
Some of the additional missing modules that could not be fetched:
D07C9D5A79B85C331.dll
EO333A57C7C97CDF1
EO3A7C3397CDF57C1
Data Exfiltration
The core functionality of the malware is to steal as much information as it can from the target device. The payload
targets two main applications: Telegram Desktop and KeePass, the famous password manager.
Once the relevant Telegram Desktop and KeePass files have been uploaded, the malware enumerates any relevant
file it can find on the victim’s computer which has one of the following extensions:
.txt;.csv;.kdbx;.xls;.xlsx;.ppt;.pptx; . For each such file, the malware then uploads it after encoding the
file to base64.
Persistence
The malware uses a unique persistence method which is tied to the Telegram update procedure.
Periodically, it copies the Telegram main executable into Telegram Desktop\tupdates , which triggers an update
procedure for the Telegram application once it starts. The hidden trick of the malware’s persistence method is
changing the default Telegram updater file – Telegram Desktop\Updater.exe , with one of its dropped payloads
(more specifically – CO79B3A985C5C7D30 ). The most notable changed feature of that updater is running the
payload again:
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 7 of 59
Figure 8: Telegram updater runs the main payload
Infrastructure and Connections
After analyzing the payload we were able to find multiple variants that date back to 2014, indicating that this
attack has been in the making for years.
Malware variants developed by the same attackers often have minor differences between them, especially if they
are used around the same time frame. In this case however, we noticed that while some of the variants were used
simultaneously, they were written in different programming languages, utilized multiple communication protocols
and were not always stealing the same kind of information.
In the table below, we list the variants we identified and highlight their unique characteristics. Please refer to the
Technical Appendix below, for a deep dive information regarding each variant.
Name Artifacts Dates
Malicious
Activity
Properties
TelB
Variant
KeePassOnlineCreator.exe
BOBC3953C59DA7870
CO9D5A739B85C37C1
CO79B3A985C5C7D30
D07C9D5A79B85C331.dll
EO333A57C7C97CDF1
EO3A7C3397CDF57C1
June 2020
– July 2020
Telegram-focused
infostealer
SOAP. Delphi
64bit payload.
Persistence
through
Telegram
updater.
TelAndExt
Variant
TelegramUpdater.exe
TelegramUpdater2.exe
TelegramUpdater3.exe
TelegramUpdater.dll Updater.exe
May 2019
– February
2020
Telegram-focused
infostealer
FTP . Delphi
32bit payload.
Persistence
through
Telegram
updater.
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 8 of 59
Python
Info Stealer
keyboard-EN.exe
speaker-audio.exe
audio-driver.exe
February
2018 –
January
2020
Focused on –
Telegram,
Chrome,
Firefox, Edge,
Paltalk NG Data
Exfiltration via
FTP
FTP. Python
(Pyinstaller)
HookInjEx
Variant
DrvUpdt.exe / ehtmlh.exe
DrvUpdtd.dll / dhtmlh.dll
CapDev.exe / rregg.exe uflScan.exe
December
2014 –
May 2020
Infostealer
(Browsers,
audio,
keylogging and
clipboard)
FTP. C++
The related samples also revealed more C&C servers, and looking up their passive DNS information and
additional metadata led us to similar domains that were operated by the same attackers. As it turns out, some of
the domains appeared in malicious Android applications and phishing pages, exposing more layers of this
operation:
Figure 9: Maltego graph of the malicious infrastructure
Android Backdoor
During our investigation we also uncovered a malicious Android application tied to the same threat actors. The
application masquerades as a service to help Persian speakers in Sweden get their driver’s license.
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 9 of 59
We have located two different variants of the same application, one which appears to be compiled for testing
purposes, and the other is the release version, to be deployed on a target’s device.
Figure 10: Android application’s main interface
This Android backdoor contains the following features:
Steal existing SMS messages
Forward two-factor authentication SMS messages to a phone number provided by the attacker-controlled
C&C server
Retrieve personal information like contacts and accounts details
Initiate a voice recording of the phone’s surroundings
Perform Google account phishing
Retrieve device information such as installed applications and running processes
For a deep dive information regarding this application, please refer to the Technical Appendix below.
Telegram Phishing
The backdoors were not the only way in which the attackers tried to steal information about Telegram accounts.
Some of the websites that were related to this malicious activity also hosted phishing pages impersonating
Telegram:
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 10 of 59
Figure 11: Telegram phishing page
What was surprising is that several Iranian Telegram channels have actually sent out warnings against those
phishing websites, and claimed that the Iranian regime is behind them.
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 11 of 59
Figure 12: Translated message warning against phishing attempts
According to the channels, the phishing messages were sent by a Telegram bot. The messages warned their
recipient that they were making an improper use of Telegram’s services, and that their account will be blocked if
they do not enter the phishing link.
Figure 13: Phishing message content
Another Telegram channel provided screenshots of the phishing attempt showing that the attackers set up an
account impersonating the official Telegram one. At first, the attackers sent a message about the features in a new
Telegram update to appear legitimate. The phishing message was sent only five days later, and pointed to
http://telegramreport[.]me/active (same domain as in figure 11 above).
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 12 of 59
Figure 14: Phishing message sent from fake Telegram account
Payload Delivery
Although in some cases we were unable to determine how the malicious files reached the victims, we gathered
some potential clues about the ways the attackers distributed their malware. For example, accessing
mailgoogle[.]info shows that it impersonates ozvdarozv[.]com and promotes a software to increase the
number of members in Telegram channels.
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 13 of 59
Figure 15: mailgoogle[.]info download page
But after clicking on “Download”, a password-protected archive called Ozvdarozv-Windows.rar is downloaded,
containing one of the malware variants.
Possible Additional Delivery Vectors
A removed blog entry from 2018 accused a cyber-security expert of plagiarism when he was interviewed by
AlArabiya news channel to discuss Iranian cyber-attacks.
We believe this page was created as part of a targeted attack against this person or his associates.
The blog included a link to download a password-protected archive containing evidence of the plagiarism from
endupload[.]com .
endupload[.]com is connected to both the PC and the Android operations mentioned above via several passive
DNS hops, including a direct connection via historic DNS server information to the domain mailgoogle[.]info
we described above. Not only did we not find any instance of it being used in a legitimate context, we also found
evidence of the domain being registered by a Persian speaking hacker. (See “attribution” section below)
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 14 of 59
Figure 16: Removed blog post with link to endupload[.]com
A different blog entry from 2012 discusses a human rights violations report by HRANA, a news agency affiliated
with the Iranian Association of Human Rights Activists. Once again, this blog refers to a document that can be
downloaded from endupload[.]com :
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 15 of 59
Figure 17: Blog post with link to endupload[.]com
Unfortunately, we were unable to get our hands on the files both blog entries were referring to, and could not
confirm that they were indeed malicious. However, it appears that endupload[.]com has been controlled by the
attackers for years, as some of the malicious samples related to this attack and dating back to 2014 communicated
with this website.
Attribution
Although we found many files and websites that were used over the years in this attack, they were not attributed to
a specific threat group or entity. Nevertheless, some of the fingerprints that the threat actors left in the malicious
artifacts allowed us to gain a better understanding of where the attack might be coming from.
Attack Origin
To begin with, the WHOIS information of some of the malicious websites revealed that they were supposedly
registered by Iranian individuals:
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 16 of 59
Figure 18: WHOIS information of endupload[.]com and picfile[.]net
The WHOIS records for endupload[.]com also mentioned an e-mail address, nobody.gu3st@gmail[.]com .
Apparently, the website’s registrant was very active online, because looking up the username “nobody.gu3st” led
us to many posts in Iranian hacking forums:
Figure 19: Translated post by nobody.gu3st
Political Targeting
The list of targets we observed reflects some of the internal struggles in Iran and the motives behind this attack.
The handpicked targets included supporters of Mujahedin-e Khalq and the Azerbaijan National Resistance
Organization, two prominent resistance movements that advocate the liberation of Iranian people and minorities
within Iran.
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 17 of 59
Figure 20: Mujahedin-e Khalq and Azerbaijan National Resistance Organization logos
The conflict of ideologies between those movements and the Iranian authorities makes them a natural target for
such an attack, as they align with the political targeting of the regime.
In addition, the backdoor’s functionality and the emphasis on stealing sensitive documents and accessing KeePass
and Telegram accounts shows that the attackers were interested in collecting intelligence about those victims, and
learning more about their activities.
Conclusion
Following the tracks of this attack revealed a large-scale operation that has largely managed to remain under the
radar for at least six years. According to the evidence we gathered, the threat actors, who appear to be operating
from Iran, take advantage of multiple attack vectors to spy on their victims, attacking victims’ personal computers
and mobile devices.
Since most of the targets we identified are Iranians, it appears that similarly to other attacks attributed to the
Islamic Republic, this might be yet another case in which Iranian threat actors are collecting intelligence on
potential opponents to the regiment.
SandBlast Mobile provides real-time threat intelligence and visibility into mobile threats, protecting from
malware, phishing, Man-in-the-Middle attacks, OS exploits, and more.
Check Point’s anti-phishing solutions include products that address all of the attack vectors from which phishing
attacks come – email, mobile, endpoint and network.
Technical Appendix
PC Backdoor Variants Analysis
TelB Variant
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 18 of 59
“TelB” is the latest variant we encountered, and its analysis shown above. We named it as such because of the next
debug string: D:\Aslan\Delphi\TelB\BMainWork\SynCryptoEN.pas .
TelAndExt Variant
This variant is probably the older version of “TelB”, and has been active mostly during 2019 and 2020. It shares
the following properties and techniques with the newer versions:
Developed in Delphi
Shares a great amount of code with the “TelB” variant
Focuses on the Telegram Desktop application
Similar persistence and update methods
Uses FTP instead of SOAP for data exfiltration
We named this variant “TelAndExt” because of the next debug string:
D:\Aslan\Delphi\TelAndExt\TelegramUpdater\SynCryptoEN.pas
Python Info-stealer Variant Analysis
We discovered several samples which use the following methods:
Two-layer SFX (self-extracted archive) which extract several .bat/.vbs/.nfs/.conf files.
Persistence method by copying the executable (ends with .nfs ) to
%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\audio-driver.exe
Executable name is speaker-audio.exe or keyboard-EN.exe , depending on the sample.
The executable was created with Pyinstaller.
Downloads a second-stage payload under the name of net-update.exe
Before being uploaded, the data is encrypted using library pyAesCrypt with a hard-coded password.
Info stealing
According to our analysis, the script communicates with an FTP server using hard-coded credentials, and steals
the following data:
Telegram Desktop application related files.
Paltalk NG application related files.
Chrome, Firefox and Edge related data.
Any file which ends with extensions listed in a given configuration. If no configuration is given, it searches
for files with the following extensions: .txt;.docx;.doc;.exe;.jpg;.html;.zip;.pdf
Operation
During our investigation, we saw several Python info-stealers that communicate with the same FTP server, but
store the stolen information in different pages under different aliases.
We suspect this is how the malware authors operate:
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 19 of 59
Choose a target, and create a designated folder in the FTP server for them.
Build a sample customized for the target, with a unique AES key and FTP credentials for information
uploading.
Deliver the weaponized executable via one of the infection chain vectors.
Second-stage Payload – HookInjEx
One of its core functionalities is fetching a second-stage payload. If the designated FTP folder contains a file
named net-update.exe , then it downloads and executes it.
We analyzed few of those net-update.exe samples and found a complete overlap with the “HookInjEx” variant
below, making it a targeted advanced payload.
HookInjEx Variant
This variant has been in use since 2014, and has 32-bit and 64-bit versions. Over time, the variant evolved and
added some features while also changed the names of the different components in its infection chain.
Infection Chain
We found two main types of infection chains:
1. SFX (self-extracting archive) which contains all the components. It drops all of them into a folder and then
executes the main loader – DrvUpdt.exe ( ehtmlh.exe in older versions).
2. Fake SCR file that is functioning as an executable. In order to look like a legitimate SCR file, the loader
contains a decoy – a JPEG/PPTX/DOC file as a resource ( Resource_1 ), which is loaded upon running.
The SCR file also drops other payloads as its resources, and runs the main loader with the command line:
cmd.exe /C choice /C Y /N /D Y /T 3 & "%APPDATA%\\Microsoft\\Windows\\Device\\DrvUpdt.exe" -
pSDF32fsj8979_)$
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 20 of 59
Figure 21: Malicious SCR opens decoy JPG resource
Hooking and Injection
The main loader uses the hooking and injection method called “HookInjEx”. That method maps a DLL into
explorer.exe , where it subclasses the Start button. In our case, the loaded DLL is DrvUpdtd.dll
( dhtmlh.dll in older versions).
In newer versions, the malware also hooks the Start button in other languages as well. The existence of
different languages probably shows that it has victims from countries all around the world. The different
translations are:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
Start - English
başlat - Turkish
開始 - Chinese
Sākt - Latvian
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 21 of 59
Arabic - ابدأ
Iniciar - Spanish
Käynnistä - Finish
Hebrew - התחל
スタート - Japanese
Štart - Slovakian
Pradėti - Lithuanian
Pokreni - Bosnian
เริ่ม - Thai
Έναρξη - Greece
Démarrer - French
Старт - Bulgarian
Запустити - Ukrainian
시작 - Korean
Start - English başlat - Turkish 開始 - Chinese Sākt - Latvian ابدأ - Arabic Iniciar - Spanish Käynnistä - Finish
התחל - Hebrew スタート - Japanese Štart - Slovakian Pradėti - Lithuanian Pokreni - Bosnian เริ่ม - Thai Έναρξη
- Greece Démarrer - French Старт - Bulgarian Запустити - Ukrainian 시작 - Korean
Start - English
başlat - Turkish
開始 - Chinese
Sākt - Latvian
Arabic - ابدأ
Iniciar - Spanish
Käynnistä - Finish
Hebrew - התחל
スタート - Japanese
Štart - Slovakian
Pradėti - Lithuanian
Pokreni - Bosnian
เริ่ม - Thai
Έναρξη - Greece
Démarrer - French
Старт - Bulgarian
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 22 of 59
Запустити - Ukrainian
시작 - Korean
Configuration
The malware receives its configuration from a file named Devinf.asd (in older versions it was named
file2.asd ). The configuration is decrypted and written into a new file named Drvcnf.asd (in older version it
named file3.asd ). The encryption method is:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
def decode(content):
dec_array = [0, 1, 2, 3, 4, 5, 6, 7, 8, 0xe, 0xf, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
0x1a,0x1b, 0x1c, 0x1d, 0x1e, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d,
0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39,0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
0x40, 0x41, 0x42, 0x43, 0x44]
output_str = ''
known_values = [9, 10, 13, 32]
for j in range(len(content)):
int_cur_content = ord(content[j])
cur_byte = 0
for i in range(62):
if int_cur_content == dec_array[i]:
if i < 26:
cur_byte = i + 0x61
elif 26 <= i < 52:
cur_byte = i + 0x27
elif 52 <= i < 62:
cur_byte = i - 0x4
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 23 of 59
output_str += (chr(cur_byte))
break
if cur_byte == 0:
if int_cur_content in known_values:
cur_byte = int_cur_content
elif int_cur_content - 0x61 <= 0xe:
cur_byte = int_cur_content - 0x40
elif int_cur_content - 0x70 <= 0x6:
cur_byte = int_cur_content - 0x36
elif int_cur_content - 0x77 <= 0x5:
cur_byte = int_cur_content - 0x1c
elif int_cur_content - 0x53 <= 0x3:
cur_byte = int_cur_content + 0x28
output_str += (chr(cur_byte))
return output_str
def decode(content): dec_array = [0, 1, 2, 3, 4, 5, 6, 7, 8, 0xe, 0xf, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16,
0x17, 0x18, 0x19, 0x1a,0x1b, 0x1c, 0x1d, 0x1e, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a,
0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39,0x3a, 0x3b, 0x3c,
0x3d, 0x3e, 0x3f, 0x40, 0x41, 0x42, 0x43, 0x44] output_str = '' known_values = [9, 10, 13, 32] for j in
range(len(content)): int_cur_content = ord(content[j]) cur_byte = 0 for i in range(62): if int_cur_content ==
dec_array[i]: if i < 26: cur_byte = i + 0x61 elif 26 <= i < 52: cur_byte = i + 0x27 elif 52 <= i < 62: cur_byte = i -
0x4 output_str += (chr(cur_byte)) break if cur_byte == 0: if int_cur_content in known_values: cur_byte =
int_cur_content elif int_cur_content - 0x61 <= 0xe: cur_byte = int_cur_content - 0x40 elif int_cur_content - 0x70
<= 0x6: cur_byte = int_cur_content - 0x36 elif int_cur_content - 0x77 <= 0x5: cur_byte = int_cur_content - 0x1c
elif int_cur_content - 0x53 <= 0x3: cur_byte = int_cur_content + 0x28 output_str += (chr(cur_byte)) return
output_str
def decode(content):
dec_array = [0, 1, 2, 3, 4, 5, 6, 7, 8, 0xe, 0xf, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
output_str = ''
known_values = [9, 10, 13, 32]
for j in range(len(content)):
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 24 of 59
int_cur_content = ord(content[j])
cur_byte = 0
for i in range(62):
if int_cur_content == dec_array[i]:
if i < 26:
cur_byte = i + 0x61
elif 26 <= i < 52:
cur_byte = i + 0x27
elif 52 <= i < 62:
cur_byte = i - 0x4
output_str += (chr(cur_byte))
break
if cur_byte == 0:
if int_cur_content in known_values:
cur_byte = int_cur_content
elif int_cur_content - 0x61 <= 0xe:
cur_byte = int_cur_content - 0x40
elif int_cur_content - 0x70 <= 0x6:
cur_byte = int_cur_content - 0x36
elif int_cur_content - 0x77 <= 0x5:
cur_byte = int_cur_content - 0x1c
elif int_cur_content - 0x53 <= 0x3:
cur_byte = int_cur_content + 0x28
output_str += (chr(cur_byte))
return output_str
After the configuration is decrypted, the malware parses the values and puts them in global variables.
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
- Registry key for persistence
- pre value for info files to send
- extensions for info files to send
- log path direcory
- minimum size for file to send
- FTP domain
- FTP User value
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 25 of 59
- FTP Password value
- version
- Downloads updates URL
- Downloads updates URL
- Directory in ftp connection.
- timer_1
- timer_2
- timer_3
- Downloads updates URL
- value for encryption method to files
- value for encryption method to files
- Fake name
- Value to choose name template for info files to send.
- flag for exeucting again from different place.
- WHOIS first URL
- WHOIS second URL
- WHOIS third URL
- value to download using computer-name and username
- Opera gather data flag
- Firefox gather data flag
- Chrome gather data flag
- WHOIS flag
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 26 of 59
- tracert flag
- number of tries
- clipboard data flag of CF_HDROP (CLB-f.jpg)
- clipboard data flag of text, unicode, oemtext and locale (clb-t.jpg)
- clipboard data flag of bitmap and dib (clb-p.jpg)
- Registry key for persistence - pre value for info files to send -
extensions for info files to send - log path direcory - minimum size for
file to send - FTP domain - FTP User value - FTP Password value
- version - Downloads updates URL - Downloads updates URL
- Directory in ftp connection. - timer_1 - timer_2 -
timer_3 - Downloads updates URL - value for encryption method to files
- value for encryption method to files - Fake name
- Value to choose name template for info files to send. - flag for exeucting again from
different place. - WHOIS first URL - WHOIS second URL -
WHOIS third URL - value to download using computer-name and username - Opera gather data flag - Firefox gather data flag
- Chrome gather data flag - WHOIS flag - tracert flag -
number of tries - clipboard data flag of CF_HDROP (CLB-f.jpg) -
clipboard data flag of text, unicode, oemtext and locale (clb-t.jpg) - clipboard data flag of
bitmap and dib (clb-p.jpg)
- Registry key for persistence
- pre value for info files to send
- extensions for info files to send
- log path direcory
- minimum size for file to send
- FTP domain
- FTP User value
- FTP Password value
- version
- Downloads updates URL
- Downloads updates URL
- Directory in ftp connection.
- timer_1
- timer_2
- timer_3
- Downloads updates URL
- value for encryption method to files
- value for encryption method to files
- Fake name
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 27 of 59
- Value to choose name template for info files to send.
- flag for exeucting again from different place.
- WHOIS first URL
- WHOIS second URL
- WHOIS third URL
- value to download using computer-name and username
- Opera gather data flag
- Firefox gather data flag
- Chrome gather data flag
- WHOIS flag
- tracert flag
- number of tries
- clipboard data flag of CF_HDROP (CLB-f.jpg)
- clipboard data flag of text, unicode, oemtext and locale (clb-t.jpg)
- clipboard data flag of bitmap and dib (clb-p.jpg)
Persistence
The malware sets the registry key which is in the value of the configuration file (which is almost always
the key RunOnce) to the following values – it sets the name to SunJavaHtml or DevNicJava and the value is
DrvUpdt.exe 11 . That way the malware knows it was already executed.
In older versions, the malware used to drop a file named either rreegg.exe or Capdev.exe , which was added to
RunOnce, and in turn executed DrvUpdt.exe 11
Info stealing
Main feature of the malware is stealing information from the victim’s computer and send it to the C2 using FTP.
The malware steals different types of data:
Opera/Chrome/Firefox login data.
Firefox information: profiles, keys and db files.
The output of tracert www.google.com
WHOIS information (based on the value).
Screenshots and title of the foreground window.
Waveform-audio recording for a minute.
Files from removable drivers. The types of files are based on the tags in the file Devufl1.tmp
( winufl1.tmp in older versions). In some versions, that logic was implemented in a file named
uflscan.exe .
Interestingly, if driver’s name is one of the following: A65RT52WE3F , 09353536557 or transcend20276 ,
the malware ends the thread. We believe it to be a debug code (Fig. X) that stayed and its purpose is to
prevent the malware from gathering files from the author’s computers.
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 28 of 59
Files from other drives based on the tags in the file Devufl2.tmp ( winufl2.tmp in older versions
).
Keylogging and clipboard data from various formats – drag and drop/ CF_HDROP , CF_TEXT , CF_TEXT ,
CF_UNICODETEXT , virtual key codes, CF_OEMTEXT , CF_LOCALE , CF_BITMAP and CF_DIB .
Capture using webcam ( tcwin.exe in older versions).
Since 2018 – Telegram Desktop data.
Figure 22: Debug code with hardcoded removable drivers
C2 communication
This variant uploads files to its C2 domain using the FTP protocol. The FTP domain is placed in the configuration
file inside the tag.
The connection starts with authentication using the password and username from the configuration file.
The malware then creates a directory according to the tag and a subdirectory inside it with the user id it
generated before. The user id is generated from the network adapter’s info that was written into the file
Mcdata.dat ( PAdata.dat In older versions).
After that, the connection continues with TYPE I and PASV commands before storing the files with the STOR
command.
The variant also contacts other domains to update its different components. The domains are placed in the
configuration file inside , and tags. The files are downloaded using
URLDownloadToFileW from the given URLs, the user_id is included in the URLs.
String Obfuscation
In newer versions (since 2018), the strings are encrypted with the following script:
Plain text
Copy to clipboard
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/
Page 29 of 59
Open code in new window
EnlighterJS 3 Syntax Highlighter
buf_1 = 'qweyuip[];lkjhgdszcm,.>