The Domestic Kitten group (APT-C-50) has been targeting Iranians in mobile surveillance campaigns using the latest version of the ‘FurBall’ Android spyware. The APT group has used the FurBall spyware since its initial activities in 2016, which is now equipped with obfuscation capabilities and updates on its C2.
Researchers added that the Domestic Kitten group is in its sixth year of operation, which supports assumptions that they are Iranian-based threat groups backed by the government.
In the new campaigns utilising the upgraded FurBall spyware, the threat group sets up malicious sites impersonating real companies.
The malicious sites set up by the APT group are where the victims land, coming from social media lures, phishing emails, fraudulent text messages, or SEO poisoning tactics.
Researchers once spotted the threat group using a fake language translation site to lure victims into downloading the spyware. The embedded Google Play icon on the malicious site supposedly lets the users download the language translator app on their Android devices and will be sent with an APK file named ‘sarayemaghale[.]apk’ upon clicking.
Once the FurBall spyware has accessed the victim’s Android device, it will be able to steal critical data, including clipboard contents, text messages, contacts list, location details, call logs, installed applications, and the device’s information. FurBall could also perform malicious activities, including recording phone calls and reading notifications.
However, the researchers note that there might be FurBall variants with limited capabilities since the one they analysed only requests for contacts and storage media access. Nonetheless, it is warned that these few permissions could still harm the affected victims since they could still collect private data without raising suspicions.
The FurBall spyware can also receive commands from the operators if needed through an HTTP request that is contacted every 10 seconds. Meanwhile, the added obfuscation layer in the spyware includes class names, strings, server URI paths, and logs, which help it evade detection and disruption from anti-virus applications.
The obfuscation feature on the upgraded FurBall spyware implies that the APT group has enhanced its TTPs to execute more effective campaigns. It has also minimised the number of AV software that can detect it, which shows its efficacy.
