Fox Kitten | APT Profile

Description

[Fox Kitten](https://attack.mitre.org/groups/G0117) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. [Fox Kitten](https://attack.mitre.org/groups/G0117) has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.(Citation: ClearkSky Fox Kitten February 2020)(Citation: CrowdStrike PIONEER KITTEN August 2020)(Citation: Dragos PARISITE )(Citation: ClearSky Pay2Kitten December 2020)

Techniques Used (TTPs)

T1105 — Ingress Tool Transfer (command-and-control)
T1059 — Command and Scripting Interpreter (execution)
T1530 — Data from Cloud Storage (collection)
T1018 — Remote System Discovery (discovery)
T1110 — Brute Force (credential-access)
T1210 — Exploitation of Remote Services (lateral-movement)
T1136.001 — Local Account (persistence)
T1560.001 — Archive via Utility (collection)
T1027.010 — Command Obfuscation (defense-evasion)
T1005 — Data from Local System (collection)
T1585 — Establish Accounts (resource-development)
T1021.005 — VNC (lateral-movement)
T1552.001 — Credentials In Files (credential-access)
T1217 — Browser Information Discovery (discovery)
T1059.003 — Windows Command Shell (execution)
T1027.013 — Encrypted/Encoded File (defense-evasion)
T1213.005 — Messaging Applications (collection)
T1021.002 — SMB/Windows Admin Shares (lateral-movement)
T1190 — Exploit Public-Facing Application (initial-access)
T1555.005 — Password Managers (credential-access)
T1003.003 — NTDS (credential-access)
T1087.001 — Local Account (discovery)
T1087.002 — Domain Account (discovery)
T1021.004 — SSH (lateral-movement)
T1505.003 — Web Shell (persistence)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1036.004 — Masquerade Task or Service (defense-evasion)
T1003.001 — LSASS Memory (credential-access)
T1090 — Proxy (command-and-control)
T1012 — Query Registry (discovery)
T1572 — Protocol Tunneling (command-and-control)
T1021.001 — Remote Desktop Protocol (lateral-movement)
T1102 — Web Service (command-and-control)
T1039 — Data from Network Shared Drive (collection)
T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1046 — Network Service Discovery (discovery)
T1546.008 — Accessibility Features (privilege-escalation, persistence)
T1585.001 — Social Media Accounts (resource-development)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1059.001 — PowerShell (execution)
T1083 — File and Directory Discovery (discovery)

Total TTPs: 41

Malware & Tools

Malware: China Chopper, Pay2Key

Tools: PsExec, ngrok

← Return to Home ← Back to APT Search