Domestic Kitten Surveillance Campaign

Domestic Kitten is the name given to a spyware campaign which Check Point believes originates from within Iran and has primarily targeted Iranian citizens. The campaign operates by attempting to entice victims into downloading mobile apps which are spyware. The apps Check Point analyzed were an ISIS themed wallpaper changer, an app which provides updates from the ANF Kurdistan news agency and a fake version of a messaging app named Vidogram.

All the apps use the same certificate which has the email address telecom2016@yahoo.com associated with it. Once installed, the spyware is capable of gathering significant information from the victim device and then transfers the data to its C&C servers via HTTP POST requests.

Check Point report that they believe that there may be around 240 victims of this campaign with some 97% of the victims being Iranian citizens. The remaining victims are located in Iraq, Afghanistan and the UK.

Victims are lured into downloading applications which is believed to be of interest to them. The applications researchers discovered included an ISIS branded wallpaper changer, “updates” from the ANF Kurdistan news agency and a fake version of the messaging app, Vidogram.

Indicators of Compromise

c168f3ea7d0e2cee91612bf86c5d95167d26e69c

0fafeb1cbcd6b19c46a72a26a4b8e3ed588e385f

f1355dfe633f9e1350887c31c67490d928f4feec

d1f70c47c016f8a544ef240487187c2e8ea78339

162[.]248[.]247[.]172

190[.]2[.]144[.]140

190[.]2[.]145[.]145

89[.]38[.]98[.]49

Firmwaresystemupdate[.]com

Stevenwentz[.]com

Ronaldlubbers[.]site

Georgethompson[.]space