SOCRadar LABS - Tests On Your Security Posture

Fox Kitten

★ Rank: 598

Get Free Access to Insights

Summary of Actor:Fox Kitten is an Iranian state-sponsored cyber espionage group known for its advanced persistent threat (APT) activities. The group primarily targets critical infrastructure sectors across various countries. Their operations often involve exploiting known vulnerabilities and strategic web compromises.

General Features:Fox Kitten is known for its sophisticated attack methods, including the use of spear-phishing, custom malware, and exploiting known vulnerabilities in enterprise VPNs and RDP servers. The group operates with a focus on long-term persistence and data exfiltration from high-value targets.

Related Other Groups: APT33,APT34,MuddyWater

Indicators of Attack (IoA):

Unauthorized RDP access
Unusual outbound traffic
Phishing emails targeting specific sectors
Use of VPN access for network infiltration

Recent Activities and Trends:

Latest Campaigns : The most recent campaigns have involved exploiting vulnerabilities in enterprise VPNs to infiltrate networks of targeted organizations.
Emerging Trends : There has been a noticeable increase in the group's use of strategic web compromises and focus on supply chain attacks, indicating a shift towards more complex and indirect methods of network infiltration.

...

Also Known As:

Parisite

Rubidium

Pioneer Kitten

Lemon Sandstorm

Cobalt Foxglove

Target Countries

Malaysia

Germany

Israel

Australia

Austria

+10

Target Sectors

Air Transportation

Manufacturing

Public Administration

Energy & Utilities

Chemical&Pharmaceutical Manufacturing

Associated Malware/Software

Noberus

ALPHV

BlackCat - S1068

NoEscape

Ransomhouse

️Related CVEs

ATT&CK IDs:

T1083 - File and Directory Discovery

T1486 - Data Encrypted for Impact

T1190

T1059 - Command and Scripting Interpreter

T1056 - Input Capture

+20

Tactic	Id	Technique
Collection	T1056	Input Capture	Sub Techniques	Detections	Mitigations
Command And Control	T1572	Protocol Tunneling	Sub Techniques	Detections	Mitigations
Command And Control	T1071	Application Layer Protocol	Sub Techniques	Detections	Mitigations
Command And Control	T1105	Ingress Tool Transfer	Sub Techniques	Detections	Mitigations
Command And Control	T1219	Remote Access Tools	Sub Techniques	Detections	Mitigations
Credential Access	T1056	Input Capture	Sub Techniques	Detections	Mitigations
Defense Evasion	T1078	Valid Accounts	Sub Techniques	Detections	Mitigations
Defense Evasion	T1140	Deobfuscate/Decode Files or Information	Sub Techniques	Detections	Mitigations
Defense Evasion	T1562	Impair Defenses	Sub Techniques	Detections	Mitigations
Discovery	T1082	System Information Discovery	Sub Techniques	Detections	Mitigations
Discovery	T1012	Query Registry	Sub Techniques	Detections	Mitigations
Discovery	T1482	Domain Trust Discovery	Sub Techniques	Detections	Mitigations
Discovery	T1083	File and Directory Discovery	Sub Techniques	Detections	Mitigations
Execution	T1059	Command and Scripting Interpreter	Sub Techniques	Detections	Mitigations
Execution	T1053	Scheduled Task/Job	Sub Techniques	Detections	Mitigations
Impact	T1486	Data Encrypted for Impact	Sub Techniques	Detections	Mitigations
Initial Access	T1133	External Remote Services	Sub Techniques	Detections	Mitigations
Initial Access	T1190	Exploit Public-Facing Application	Sub Techniques	Detections	Mitigations
Initial Access	T1078	Valid Accounts	Sub Techniques	Detections	Mitigations
Lateral Movement	T1210	Exploitation of Remote Services	Sub Techniques	Detections	Mitigations
Lateral Movement	T1021	Remote Services	Sub Techniques	Detections	Mitigations
Persistence	T1133	External Remote Services	Sub Techniques	Detections	Mitigations
Persistence	T1136	Create Account	Sub Techniques	Detections	Mitigations
Persistence	T1098	Account Manipulation	Sub Techniques	Detections	Mitigations
Persistence	T1505	Server Software Component	Sub Techniques	Detections	Mitigations
Persistence	T1078	Valid Accounts	Sub Techniques	Detections	Mitigations
Persistence	T1053	Scheduled Task/Job	Sub Techniques	Detections	Mitigations
Privilege Escalation	T1098	Account Manipulation	Sub Techniques	Detections	Mitigations
Privilege Escalation	T1078	Valid Accounts	Sub Techniques	Detections	Mitigations
Privilege Escalation	T1053	Scheduled Task/Job	Sub Techniques	Detections	Mitigations
Reconnaissance	T1596	Search Open Technical Databases	Sub Techniques	Detections	Mitigations

Total Count : 18

https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf

https://attack.mitre.org/groups/G0117/

https://www.dragos.com/threat/parisite

https://www.crowdstrike.com/blog/who-is-pioneer-kitten

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a

https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf

https://threatpost.com/oil-and-gas-specialist-apt-pivots-to-u-s-power-plants/151699/

https://www.dragos.com/wp-content/uploads/NA-EL-Threat-Perspective-2019.pdf

https://censys.com/analysis-of-fox-kitten-infrastructure-reveals-unique-host-patterns-and-potentially-new-iocs/

https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9d13d133-e25a-4de0-8952-6b0cbdb92899

https://youtu.be/pBDu8EGWRC4?t=2492

https://dragos.com/blog/industry-news/the-state-of-threats-to-electric-entities-in-north-america/

https://www.crowdstrike.com/blog/who-is-pioneer-kitten/

https://www.dragos.com/wp-content/uploads/The-ICS-Threat-Landscape.pdf

https://www.zdnet.com/article/iranian-hackers-are-selling-access-to-compromised-companies-on-an-underground-forum

https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf

https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices

https://us-cert.cisa.gov/ncas/alerts/aa20-259a

Threat Reports

Threat Reports