An ongoing investigation has revealed that a group under the name “Imperial Kitten” associated with Iran has been carrying out watering-hole attacks against sectors in Middle East, specifically targeting transportation, logistics, and technology industries for the past two years. Recent research from CrowdStrike identifies the responsible party as a state-sponsored advanced persistent threat (APT) known as “Imperial Kitten” (also recognized as Yellow Liderc, Tortoiseshell, TA456, and Crimson Sandstorm). This APT, previously targeting Israeli maritime, transportation, and technology sectors, is suspected to have connections with Iran’s Islamic Revolutionary Guard Corps.
CrowdStrike Intelligence gathering has identified that the contemporary intrusion chains orchestrated by IMPERIAL KITTEN employ the following tactics, techniques, and procedures:
- Implementation of data exfiltration techniques through the use of both custom and open-source malware, specifically targeting entities in the Middle East.
- Utilization of public scanning tools, one-day exploits, SQL injection, and pilfered VPN credentials for initial access.
- Adoption of scanning tools, PAExec, and credential theft for lateral movement within the network.
CrowdStrike Intelligence conducted an analysis of various malware samples linked to IMPERIAL KITTEN activities, including:
- A similar sample identified as StandardKeyboard.
- A Python generic reverse shell distributed through a macro-enabled Excel sheet.
- IMAPLoader, which utilizes email for command and control (C2).
- A malware sample employing Discord for C2.
This subsequent set of tools indicates that IMPERIAL KITTEN persists in employing email-based C2 mechanisms, resembling those observed in their previous Liderc malware family.
Initial Access
According to industry reports, there are instances where the adversary directly delivers malware to victims through the SWC (strategic web compromise). In alignment with prior CrowdStrike reports on credential stealers from 2021, there is some indication that IMPERIAL KITTEN focuses on targeting organizations, particularly upstream IT service providers, to pinpoint and gain access to specific targets of primary interest for subsequent data exfiltration.
Moreover, there is evidence suggesting that their methods for initial access include:
- Utilization of public one-day exploits.
- Exploitation of stolen credentials to access VPN appliances.
- Implementation of SQL injection techniques.
- Use of publicly available scanning tools, such as nmap.
- Adoption of phishing tactics to deliver malicious documents.
Lateral Movement:
There is evidence suggesting that IMPERIAL KITTEN executes lateral movement using tools such as PAExec (an open-source alternative to PsExec) and NetScan. Additionally, they employ ProcDump to extract LSASS process memory for credential harvesting. Lastly, there is a likelihood that IMPERIAL KITTEN deploys custom malware or open-source tools like MeshAgent for data exfiltration. These assessments are associated with low confidence levels, relying on single, uncorroborated source reporting.
Adversary Tooling:
Imperial Kitten operations purportedly utilize a variety of tools, including custom implants, IMAPLoader, and StandardKeyboard, both of which utilize email for command and control (C2). Additionally, a remote access tool (RAT) in their toolkit uses Discord for C2.
IMAPLoader is a malware family distributed as a dynamic link library (DLL) loaded via AppDomainManager injection. Configured through static email addresses embedded in the malware, it uses email for C2. Typographical errors in embedded folder names and log messages suggest that the author may not be a native English speaker. While timestamps are mostly unavailable, the earliest observed version was in the wild on September 1, 2022.
Phishing:
Imperial Kitten’s phishing activities reportedly involve the deployment of malicious Microsoft Excel documents. Although the sample mentioned in October 2023 industry reports is not publicly accessible, CrowdStrike Intelligence obtained a similar version of the delivery document.
Summary:
The broader implication is that APT groups like Imperial Kitten pose a pervasive threat to global cybersecurity. Their ability to exploit vulnerabilities, use advanced techniques for initial access, and employ a diverse set of tools for data exfiltration underscores the need for international cooperation in addressing cybersecurity challenges. Imperial Kitten’s tactics, ranging from phishing to sophisticated lateral movement within compromised networks, highlight the evolving nature of cyber threats that can potentially impact organizations and individuals worldwide. As such, vigilance and collaboration on a global scale are crucial to mitigating the risks posed by such cyber adversaries.
References:
https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Tortoiseshell%2C%20Imperial%20Kitten
https://www.darkreading.com/dr-global/imperial-kitten-israeli-industry-multiyear-spy-effort
https://thehackernews.com/2023/11/iran-linked-imperial-kitten-cyber-group.html
https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/
Author: Lornd Székely, UPS