# Domestic Kitten – An Inside Look at the Iranian Surveillance Operations

**[research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations](https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/)**

February 8, 2021

February 8, 2021

## Overview

[Despite the reveal of “Domestic Kitten” by Check Point in 2018, APT-C-50 has not](https://research.checkpoint.com/2018/domestic-kitten-an-iranian-surveillance-operation/)
stopped conducting extensive surveillance operations against Iranian citizens that could
pose a threat to the stability of the Iranian regime, including internal dissidents,
opposition forces, ISIS advocates, the Kurdish minority in Iran, and more.

In this paper, Check Point Research reveals the extent of the operations, the multiple
campaigns executed by APT-C-50, their delivery methods, and an analysis of the targeted
individuals. In addition, we provide a technical analysis of the FurBall malware used since
the beginning of the operation, its origin, and observed covers used to conceal the
malware’s true nature.

## General

Check Point researchers recently uncovered the full extent of Domestic Kitten’s extensive
surveillance operation against Iranian citizens that could pose a threat to the stability of
the Iranian regime. The operation itself is linked to the Iranian government, and executed
by APT-C-50.

Starting in 2017, this operation, consisting of 10 unique campaigns, targeted over 1,200
individuals with more than 600 successful infections. It includes 4 currently active


-----

campaigns, the most recent of which began in November 2020.
In these campaigns, victims are lured to install a malicious application by multiple
vectors, including an Iranian blog site, Telegram channels, and even by SMS with a link to
the malicious application.
The capabilities of the Domestic Kitten malware (which we are calling FurBall), include:
collecting device identifiers, grabbing SMS messages and call logs, surround recording
with the device microphone, call recording, stealing media files (such as videos and
photos), obtaining a list of installed applications, tracking the device location, stealing
files from the external storage, and more. For a full list of commands, see the Technical
Analysis section.

## Campaigns & Victims

Almost all of the campaigns we observed use the same infrastructure that Domestic Kitten
used back in 2018, the C&C hXXp://www[.]firmwaresystemupdate[.]com. We
differentiate between campaigns by the URI segment of the C&C server. For example, in
the most recent campaign the full C&C address is
hXXp://www[.]firmwaresystemupdate[.]com/hass (which we call the ‘hass’ campaign
for obvious reasons).

**Campaign** **Start** **End**

**hass** November 2020 **Currently active**

**or** May 2020 June 2020

**mat** December 2019 July 2020

**hj** May 2019 April 2020

**oth** June 2018 **Currently active**

**hr** October 2017 November 2017

**maj** October 2017 June 2019

**mmh** July 2017 **Currently active**

**msd** June 2017 **Currently active**

**grt** June 2017 September 2019

_Figure 1 – Domestic Kitten Campaign list_

FurBall uses a large variety of covers to mask its malicious intentions. A few prominent
covers include:

VIPRE Mobile Security – A fake mobile security application.


-----

ISIS Amaq – A news outlet for the Amaq news agency.
Exotic Flowers – A repackaged version of a game from Google Play.
MyKet – An Android application store.
Iranian Woman Ninja – A wallpaper application.

In the newest ‘hass’ campaign, APT-C-50 mimics an application for the restaurant
“Mohsen Restaurant” which is located in Tehran. Covers of the ‘mmh’ campaign include
an ISIS supporter application and a repackaged version of ‘Exotic Flowers’ from Google
Play.

_Figure 2 – FurBall Mohsen ;hass’_


-----

-----

_Figure 3 – FurBall Repacked ‘Exotic Flowers’ cover, and an ISIS supported cover_

A full list of the covers is provided in Appendix 1 – FurBall Covers.

The methods used to deliver FurBall applications to victims also varies from one
campaign to another. In some campaigns, we observed SMS messages with a link to
download the malware, while in others an Iranian blog site hosted the payload. In
another campaign, we assume that the application was shared in a Telegram channel.


-----

_Figure 4 – The Iranian blog hosting FurBall_

We were able to identify victims of the Domestic Kitten operation from various places
around the globe, including Iran, the United States, Great Britain, Pakistan, Afghanistan,
Turkey, and more.

_Figure 5 – Victims distribution by Country_


-----

_Figure 6 – Successful attacks by date and campaign_

We traced 2 unique IPs that connected to the malware’s C&C server. We assume that
those IPs are used to send instructions to the server: 94.182.215.98 and 188.158.60.100.
According to ip2location.com, both IPs reside in Iran, the first in Tehran, and the second
in Karaj.

_Figure 7 – IP2Location’s output_

## FurBall – Technical Analysis


-----

Upon execution, the first thing Furball does is to allow execution of the application on the
device startup. To achieve this, FurBall starts its code on a receiver that listens for the
BOOT_COMPLETED event, which in turn calls to the ‘startService’ method to initiate
everything that is needed for the malware’s functionality.

_Figure 8 – BOOT_COMPLETED receiver_

_Figure 9 – The startService method_

In addition, this piece of code also initializes a ‘settings’ object, which contains the
configuration for FurBall: which C&C to connect to, another back-up C&C address, flags
to allow functionality, frequency for C&C pulling commands, and more.

_Figure 10 – FurBall configuration_


-----

After initialization, FurBall creates 3 threads.

The first periodically sends media files such as videos, photos, and call records to the
server, with a default frequency of every 20 seconds. The remaining 2 threads are keepalive threads that communicate with <C&C Address>/<campaign>/answer.php.
We assume this allows the threat actors to see which devices are currently active.

The next step for FurBall is to initialize the Command Manager. This component pulls
commands from the C&C by requesting the <C&C>/<campaign>/get-function.php
and awaits commands. Each command is delimited by the “===”string, and the
arguments are delimited by the “~~~” string.

**Command** **Action**

**NoCommand** No command.

**Time** Gets device local time.

**Set** Sets a configuration parameter given as the first argument,
to a specific value given as the second argument.

**Get** Gets data given as an argument from the infected device.
The list below includes all possible Get arguments.

**Get~~~AllLog** Gets log files

**Get~~~AllNotif** Gets all notifications

**Get~~~AllContact** Gets all contacts.

**Get~~~AllFile** Gets the names of all files on the device from the SD card
root.

**Get~~~AllSms** Gets all SMS.

**Get~~~AllCall** Gets call logs.

**Get~~~AllApp** Gets a list of all installed applications on the device.

**Get~~~AllBrowser** Gest all browsing history.

**Get~~~AllAccount** Gest a list of all user accounts stored on the device.

**Get~~~AllSettings** Gets the settings for FurBall.

**Get~~~Location** Gets the current location of the device.

**Get~~~HardwareInfo** Gets hardware information on the device.

**Get~~~File** Gets a specific file and upload it to
**<C&C>/<campaign>/upload-file.php**


-----

**Take** Allows the actor to perform actions on the device itself. The
list below shows all possible arguments for the Take
command.

**Take~~~Audio** Starts audio recording with the microphone for a given
amount of time.

**Take~~~Video** Starts a video recording using camera ID specified as a
parameter for a given amount of time.

**Take~~RecordCall** Starts recording calls from this point on.

**Delete~~~SMS** Deletes all SMS from the “HiddenNumber” parameter in the
configuration.

**Delete~~~Call** Deletes all calls from the “HiddenNumber” parameter in the
configuration.

**Delete~~~File** Deletes files from provided paths.

**Reset~~~AllCommand** Deletes all logs and media files, resets to a “default”
configuration.

_Figure 11 – FurBall possible commands_

_Figure 12 – the Command Manager listening for commands_


-----

_Figure 13 – Command Manager parsing commands_

After all initializations, it’s time to start collecting the initial data on the device. FurBall
collects the following data on startup:

Hardware Information
Contacts
Call logs
Accounts
Browser history
File list on the SD card


-----

_Figure 14 – the sendStartup method_

After collecting initial data on the device, FurBall initialize two other components. The
first one is a clipboard monitor which monitors the clipboard content (where data is
stored when it’s “copied”), and the other collects info about the top-most application’s
activity.

_Figure 15 – Clipboard monitor_


-----

_Figure 16 – Top-most application monitor_

The last significant component that is used by FurBall is the Notification Observer
Service, a service that is based on the NotificationListenerService and allows FurBall to
access all notifications received by the device.

_Figure 17 – NotificationObserverService_

While investigating the new version of Domestic Kitten’s FurBall, we noticed that FurBall
is actually based on a commercially available parental control software called KidLogger .
As FurBall shares a lot of infrastructure code with KidLogger, it seems that the developers
used the KidLogger source-code available on github.


-----

A few noticeable differences between KidLogger and FurBall:

FurBall has a configuration update mechanism that is not present in KidLogger.
FurBall is based on plain threads, while KidLogger is based on services.


-----

_Figure 18 – Code similarity between FurBall and KidLogger_


-----

## Demo

We were able to mimic the command and control server’s behavior and provide a
potential use-case against a fictional target.

[https://www.youtube.com/watch?v=lpsS3g0xZIU&feature=youtu.be](https://www.youtube.com/watch?v=lpsS3g0xZIU&feature=youtu.be)

## How to protect yourself

[Check Point SandBlast Mobile is the market-leading Mobile Threat Defense (MTD)](https://pages.checkpoint.com/2019-miercom-mobile-threat-defense-report.html)
solution, providing the widest range of capabilities to help you secure your mobile
workforce.

SandBlast Mobile provides protection for all mobile vectors of attack, including the
download of malicious applications and applications with malware embedded in them.

[Learn more.](https://www.checkpoint.com/products/mobile-security)

### Appendix 1 – FurBall Covers:

**Package name** **Cover**

com.intense.pub1.sbgs Islamic Caliphate

com.clem.isisnews ISIS News Watch

com.majorityapps.exoticflowers Repacked “Exotic Flowers” from Google
Play.

com.ssd.vipre Fake security product

com.apps.amaq Amaq News Agency Application

air.com.arsnetworks.poems.moshiri Persian poems

air.com.arsnetworks.poems.sohrab Persian poems

com.nidayehaq Religious application

com.ramadan.kareem.app Ramadan Pictures

ir.hukmi.moanzalalloh “Judgment by what Alla has revealed”

org.microemu.android.ir.mjface.toolkit.Midlet “Omar Farouq”

com.hamgaam.shahnamef “The Book of Kings”

ir.korosh.kabir “Cyrus the Great”

ir.hawijapp.myhafez Persian poems

com.kabood.koroshkabir “Cyrus the Great”

com.andriod.browser Fake “mobile secured browser”


-----

ir.mservices.market Application market for Android

com.mohsen Mohsen restaurant mimic

### Appendix 2 – IOCs:

b1df569ad4686e16ec0c661733d56778f59cdb78207a3c2ad66df9b9828c84ab

68a1452172636b081873b9f7c1ae3794035c4ff50d5538b656caf07016b74d07

02d6ca25b2057f181af96d2837486b26231eaa496defdf39785b5222014ef209

290d70472f4b00a1cf01f5c1311aacffaa39057bb1c826c99419999ccef7ae53

039fc34ace1012eff687f864369540b9085b167f0d66023f3b94f280a7fdf8b7

7f603216a0a7bae2c8cec65a800608ac22cfff8cd98c699677e44d36267a9798

54479fbb2f3c8c16714e526925537e738b1b586310c8d15ce10f33327392e879

d90168d1f3568b5909d2e14288300ede298f6c663b51e883e7eb5d8d70277423

ccef7ca705b899fe337eda462d38216c414c0cfe41052dec102c8f6d8876ad8a

8324266e25d6a8dbc6e561e035b9e713c3bd339ba9bb5e5b9d4f0821a0262510

3d41830f943c31f69eb6ed7804cc18b289ba2172d258bd118a8503d120318d63

53e00f1e8d2d6aa2d8a0eda2bf2d924fbc6f67db12ac3238d7c4b4520de7fadc

ca730b8b355e44919629a958d940e77eb1b4cd0c1bbe2ab94a963222f2723f57

f1728125f37ca8738b19b418a3fe896e9bdcde5aed6559db3eea55f4e17602c4

5787723b2221464337e6bbe4200aab912f1f711447224e4e6c4c96c451ff41bf

e069bcd473c83b937db46243dd53e8856b5be6d0ade880c0ec61107054a7e32e

48d642c2c77eeabff36249c59ce397a9ee5f3d825d735f839c5c05939499406e

1dc12c6a44852023f1687f9f31a9e58dc7ce96d492a58a3e87dec5aa8f45ba92

4580980a6fb65ea1501464d36306c24d341189e84500562c5a3ac844f9a79525

a5b5f6027b463d82fded3c38153086d5accc466df33123070ea541e62124b943

a3797856766fef6651f8c679febd12378fc3196c5cc74923d90377045107700d

9156f5bd322306c9038a3bc830e53e7b13c272e121fb70b3b8d7d9968fb97e4f

88d03e683c01d9979c752844579bd367892edbbdc876b03df8e1d09412f761c5

bd7779e6100e07b3eae67bfcdc53f1f08468651240229e284cca60e2b953496b

62a48bcb2d2f22017ce67b853654903464c19892a07a3c0ca020048cb049f0cd

e7a6925f0fe03108b965a3cf9f2fe1204add376ecde68bafd872e9d828d762e9

53ed971b48ae0b2ff6bcdd7bf4e8970d6eac3e7cdcd3ae6fa05860b9e5ac58ee

firmwaresystemupdate[.]com

appsoftupdate[.]com


-----