: Corrupt Kitten Logo
Corrupt Kitten Logo

CORRUPT KITTEN Exposed

: Corrupt Kitten Logo
Corrupt Kitten Logo

Iran Cyber News Agency was previously able to reveal the discovery of new malware targeting Iranian citizens. In the interests of protecting innocent citizens from further attacks we can reveal more of the technical specifications of the malware and how it is used. The information was contributed by our source who for his security does not want his name to be published. ICNA Admin.

This malware is a beaconing, taskable implant. It uses Hyper Text Transfer Protocol (HTTP) based communication. The C2 server hosts what appears to be a fake website called "Pine State Flowers". The domian name does not relate to the content of the site and the version we are looking at is version number 5. We also know from the database on the server hosting the domain that version 1 to 4 were aso used.

The analysis was a DEX (Dalvik Executable, a component file of an android application) file attached to an unknown Android APK (an android application). The MD5 hash of the DEX file is 0ab74c36977632a8dc517fb0c8c95189. 

The implant which manages a SQLite database which it uses to hold all of the implant state including queued commands and information about the results of those commands. This database acts as a nexus for inter-communication between the different asynchronous modules of the implant.

Commands are requested by a beacon module then placed into the commands table. A dispatcher removes rows from the command table and examining the 'name' field, creates a new instance of the relevant task by name. Tasks are runnable java objects and exist in their own thread, upon completion, the task object writes its results to disk with an accompanying entry into the data table. Finally an exfiltration module reads the data table and uploads results to infrastructure. 

Files ready for exfiltration are stored in either of the two directories device:

  • /storage/emulated/0/.data_gsc98647a3/
  • /storage/emulated/0/Andorid/.data_gsc98647a3/

The directory name is hardcoded and is not a runtime-generated or random string. In many cases the data is stored using an AES-128-CBC hardcoded key and IV. 

Corrupt Kitten supports a full rnage of spying and device management capability. Commands and their resutls are stroed in the above SQLite tables at various stages of their dispatch. The specific task is indicated by the name field in all of the tables, with a value taken from the table below. The 'exfiltration indicator' column is the first 16 characters of the SHA-1 hash of the command name. This value is included in the data exfiltration HTTP requests to indicate the command for which the data corresponds. 

Name Exfiltration Number Task Description
apps_list 8f3be153969c9aa6  List installed apps.
browser_history 56f4befcfa372f61 Upload browser history 
call_number 8b9df28139b454a9  
calls_log_incoming d4d5231bef6126e8 List recieved calls 
calls_log_missed 46f2dbefa9720460 List missed calls 
calls_log_outgoing a4efe3347d23277c List calls made 
calls_recorder e7726cbe08d9659f Record voice calls 
camera_list 608b155f62c6c1b4 Enumerate image capture devices 
contacts 9db49a59249eefb6 List stored contacts 
device_info 34d58e358ce6f6c8 Basic device and software info 
directory_list df0f6e126aaa7f10  
error_list 41ad8be6d52578e0  Upload any errors logged by any other commands
file_delete 922e797471f4ba60  Delete a file
file_download 2a8cc636df3df9b8 Download a file to victim 
file_list 0d4a23c7f51b588e  List files in covert storage 
file_upload cfd82bcb40eef62d  Upload a file from victim 
live_stream 66d94e991e567a62   Live screen recording
location_gps 0833b18e25e64e42  device location, GPS based 
location_gsm 3187d46fc0eca417  Device location, cell tower based 
network_activity cb427b6ab37d2df6   
network_speed 5f199ca6dc7c3d64   
network_state 357443daf3d17473  Connectivity state (GSM/WiFi) 
off_bluetooth e73d159feaa06fa1  Toggel Bluetooth off 
off_data de4e691bfe0e4915  Toggle data off 
off_wifi cdf0e953385891d7   Toggle Wifi off
on_bluetooth 1d92dfb895429a27   Toggle bluetooth device on
on_data b2a51f869599157b  Toggle mobile data on 
on_wfii  0717a22ec8f04949 Toggle Wifi device on 
picture_take 5a0f66c8648bd121  Take a picture using a capture device 
screen_state 7c3412627241e1c3  Return whether screen is on or off 
sim_card 6cd9c5d08fc6f34d  Get detailed sim card information 
sms_drafts fc64df0c3c72954a  List SMS drafts 
sms_inbox 9f3d6768e601e1ac  List SMS inbox
sms_outbox 073fb2c5ce013bcc  List SMS outbox 
sms_send  3d0226299ebe4e8d Send an SMS message 
sound_recorder c2cc53c99fb858a9  Record sound 
storage_activity b502a71ef356e559   
video_recorder be2b031af63496f2  Record video now 

 Communications are sent to a hardcoded infrastructure URL http://hardship-management.com:4373. The communications are protected by a process of comrpession via gzip, then AES-128-cbc encryption and then base64 encoded. A hardcoded AES key of f3544c085656c997 and IV of 4fcff6864c594343 are used. These values are ASCII encoded. 

Communications are in the form of HTTP POST requests with varying parameters and values. 

Parameter Data Usage
Fu integer File unique id
P string,base64 encoded File path
Im integer Last modified time
D bytes, base64. In some cases encrypted and zipped Primary data field, format depends on task. audio data is encoded as amr_nb packets
T string, plaintext, eg 'MOBILE' Network type
St string, plaintext, eg 'HSPA' Network subtype
sk string, plaintext SHA-1 of AES key
di json string, base64, AES, gzip Device info
dt integer Unix timestamp
cfu unknown Unknown
gfu unknown Unknown
S string, plaintext SHA-1 of AES key
gd unknown Unknown
V integer Malware version
uid string Unique victim id format is....
gd unknown Unknown
message Json Contains java stack trace in error reporting

Commands are requested by the C2 server, and sent back in cleartext json under base64 encoding:

  • {"commands":[], "commands_data":[],"settings":[]}

Indicators of compromise

The following indicators of compromise can be used to detect Corrupt Kitten activity:

File Signature (As Name)  
Network Signature (Upstream, Combined HTTP request properties)

POST request

Content-Length: 6691 (artificat of data chunk size, encoding and other parameters). All of the following POST parameter names: s, fu, p, Im, d

Network Signature (Downstream, empty response to request for new tasking) eyJjb21tYW5kcyl6W10slmNvbW1hbmRzX2RhdGEiOltdLCJzZXR0aW5ncyl6W10slnZlcnNpb24iOjV9
Network Signature ('sk' parameter for known AES key) dd8b9bf8f4d2243a20bc8a0e3446d69a1fd3786c
URL http://hardship-management.com:4373 0ab74c36977632a8dc517fb0c8c95189

 

 


Article rating:

vote(s).

0 Comments

Write a Comment

:
Hosein)root Discovers XSS Vulnerability on Google Earth

On 25 November Hosein)root who asked ICNA publish his true name as Amir Hossein Sharbati on CX...


0 Comments | Read more +
:
35/000 Characters Tweet Shocks German Hackers!

Thinking that a person could send a tweet with more than 280 characters is more or less like a...


0 Comments | Read more +
:
4TT4CK3R Identifies Flaw in University of Tehran Website

Vulnerability researcher 4TT4CK3R discovered on 23 August a cross-ste scripting vulnerability ...


0 Comments | Read more +
: 4tt4ck3r Find Vuln In United Kingdom Government
4tt4ck3r Finds Flaw in UK Government Websites

Iranian hacker 4tt4ck3r has previously found Reflected XSS -Cross Site Script...


0 Comments | Read more +
: TYRANT Ransomware
Iranian TYRANT Ransomware

A new type of ransomware have been discovered on October 16 2017 which appear...


0 Comments | Read more +
: IoT Security Research Expertise
Iranian Expertise in IoT Security Research

Iranian academic security researchers at the ITRC (Information Technology Research Cen...


0 Comments | Read more +
: Mohammad Rezania -LinX64-
Android Security and Forensic Science by LinX64

A good article by Iranian academic is important step forward for people to understand security...


0 Comments | Read more +
: http://offsec.ir/writeups
OFFSEC Team Ice CTF Results

Offsec Research CTF Team: "Thinking out of t...


0 Comments | Read more +
:
Defacement of Hafez Institute of Higher Education by UnSec Team

ICNA was contacted yesterday, 19 October, by UnSec Team member Mostafa Asadi concerning the ha...


0 Comments | Read more +
:
Manoto Defaced by Cluwix

We can see in the picture that website of Manoto TV show "Stage" was hacked by Black Hat Hacke...


0 Comments | Read more +
: Eagle Security Team
Eagle Security Team Deface Shahrood University of Technology

MR 7KH4T of Iranian hacking group Eagle Security Team is mak...


0 Comments | Read more +
: MR.IMAN
Iranian Black Hat Hackers Mass Deface Iran Sites

Hackers of the team Iranian Black Hat Hackers has make deface of many Iranian...


0 Comments | Read more +
: Iranian Cyber News Agency
New Website

Welcome to Iranian Cyber News Agency website.

New sections now include Vulnerability N...


0 Comments | Read more +
خبرگزاری سایبر ایران

در ب...


0 Comments | Read more +
:
SMS Virus Developed by Iranian Hacker Claims 100/000 Victims in Iran

In recent weeks a story that has attracted attention of many people has been the development a...


0 Comments | Read more +
: Atash Security Group
Atash Security Group Attack Irancell

The hacker and administrator Omid Killer of the Iranian hacker group ...


0 Comments | Read more +
: Eagle Security Team
Eagle Security Team Hack Saudi Sites

Latest Iranian cyber news from the Eagle Security Team shows that hackers hav...


0 Comments | Read more +
: Lord Hacking Team
Lord Hacking Team Attack Google Telegram & Acunetix

Iranian hackers of Lord Hacking Team is claim attack against:

  • ...

0 Comments | Read more +
: Corrupt Kitten Logo
CORRUPT KITTEN Exposed

Iran Cyber News Agency was previously able to reveal the discovery of new malware targetin...


0 Comments | Read more +
:
Malware Made for Iranians: New Malware 'Corrupt Kitten' Used to Spy on Iranians

In this time when so many enemies are waging soft war against innocent Iranians using many exc...


0 Comments | Read more +
: Mohammad Mehdi Shah Mansouri
Iranian Hackers Accused of Attacking US

The US has continued its campaign against Iran hacker and cyber activists by indicting two mor...


0 Comments | Read more +
: Fake ANF News App
Open Source Research Company Claims Iranian Government Targets Iranian Citizens with Malwareware

Open source research company Check Point Research claims that what it called Iranian governmen...


0 Comments | Read more +
:
IEDB Holds Gatherings Nationwide

In recent weeks and months users and friends of the hardworking IEDB team which has very activ...


0 Comments | Read more +
: Eagle Security Team
Eagle Team

The Iranian Eagle Security Team security researchers is make exposed many SQL...


0 Comments | Read more +
: Kheshtak Security Team
Kheshtak Security Team - Story Continues

More than ever in the 21st century, knowledge is power and information is the force that contr...


0 Comments | Read more +
:
Termint Security Team Have New Website

Although they have history going back a few momnths the Termint Security Team...


0 Comments | Read more +