CORRUPT KITTEN Exposed
Iran Cyber News Agency was previously able to reveal the discovery of new malware targeting Iranian citizens. In the interests of protecting innocent citizens from further attacks we can reveal more of the technical specifications of the malware and how it is used. The information was contributed by our source who for his security does not want his name to be published. ICNA Admin.
This malware is a beaconing, taskable implant. It uses Hyper Text Transfer Protocol (HTTP) based communication. The C2 server hosts what appears to be a fake website called “Pine State Flowers”. The domian name does not relate to the content of the site and the version we are looking at is version number 5. We also know from the database on the server hosting the domain that version 1 to 4 were aso used.
The analysis was a DEX (Dalvik Executable, a component file of an android application) file attached to an unknown Android APK (an android application). The MD5 hash of the DEX file is 0ab74c36977632a8dc517fb0c8c95189.
The implant which manages a SQLite database which it uses to hold all of the implant state including queued commands and information about the results of those commands. This database acts as a nexus for inter-communication between the different asynchronous modules of the implant.
Commands are requested by a beacon module then placed into the commands table. A dispatcher removes rows from the command table and examining the ‘name’ field, creates a new instance of the relevant task by name. Tasks are runnable java objects and exist in their own thread, upon completion, the task object writes its results to disk with an accompanying entry into the data table. Finally an exfiltration module reads the data table and uploads results to infrastructure.
Files ready for exfiltration are stored in either of the two directories device:
- /storage/emulated/0/.data_gsc98647a3/
- /storage/emulated/0/Andorid/.data_gsc98647a3/
The directory name is hardcoded and is not a runtime-generated or random string. In many cases the data is stored using an AES-128-CBC hardcoded key and IV.
Corrupt Kitten supports a full rnage of spying and device management capability. Commands and their resutls are stroed in the above SQLite tables at various stages of their dispatch. The specific task is indicated by the name field in all of the tables, with a value taken from the table below. The ‘exfiltration indicator’ column is the first 16 characters of the SHA-1 hash of the command name. This value is included in the data exfiltration HTTP requests to indicate the command for which the data corresponds.
| Name | Exfiltration Number | Task Description |
| apps_list | 8f3be153969c9aa6 | List installed apps. |
| browser_history | 56f4befcfa372f61 | Upload browser history |
| call_number | 8b9df28139b454a9 | |
| calls_log_incoming | d4d5231bef6126e8 | List recieved calls |
| calls_log_missed | 46f2dbefa9720460 | List missed calls |
| calls_log_outgoing | a4efe3347d23277c | List calls made |
| calls_recorder | e7726cbe08d9659f | Record voice calls |
| camera_list | 608b155f62c6c1b4 | Enumerate image capture devices |
| contacts | 9db49a59249eefb6 | List stored contacts |
| device_info | 34d58e358ce6f6c8 | Basic device and software info |
| directory_list | df0f6e126aaa7f10 | |
| error_list | 41ad8be6d52578e0 | Upload any errors logged by any other commands |
| file_delete | 922e797471f4ba60 | Delete a file |
| file_download | 2a8cc636df3df9b8 | Download a file to victim |
| file_list | 0d4a23c7f51b588e | List files in covert storage |
| file_upload | cfd82bcb40eef62d | Upload a file from victim |
| live_stream | 66d94e991e567a62 | Live screen recording |
| location_gps | 0833b18e25e64e42 | device location, GPS based |
| location_gsm | 3187d46fc0eca417 | Device location, cell tower based |
| network_activity | cb427b6ab37d2df6 | |
| network_speed | 5f199ca6dc7c3d64 | |
| network_state | 357443daf3d17473 | Connectivity state (GSM/WiFi) |
| off_bluetooth | e73d159feaa06fa1 | Toggel Bluetooth off |
| off_data | de4e691bfe0e4915 | Toggle data off |
| off_wifi | cdf0e953385891d7 | Toggle Wifi off |
| on_bluetooth | 1d92dfb895429a27 | Toggle bluetooth device on |
| on_data | b2a51f869599157b | Toggle mobile data on |
| on_wfii | 0717a22ec8f04949 | Toggle Wifi device on |
| picture_take | 5a0f66c8648bd121 | Take a picture using a capture device |
| screen_state | 7c3412627241e1c3 | Return whether screen is on or off |
| sim_card | 6cd9c5d08fc6f34d | Get detailed sim card information |
| sms_drafts | fc64df0c3c72954a | List SMS drafts |
| sms_inbox | 9f3d6768e601e1ac | List SMS inbox |
| sms_outbox | 073fb2c5ce013bcc | List SMS outbox |
| sms_send | 3d0226299ebe4e8d | Send an SMS message |
| sound_recorder | c2cc53c99fb858a9 | Record sound |
| storage_activity | b502a71ef356e559 | |
| video_recorder | be2b031af63496f2 | Record video now |
Communications are sent to a hardcoded infrastructure URL http://hardship-management.com:4373. The communications are protected by a process of comrpession via gzip, then AES-128-cbc encryption and then base64 encoded. A hardcoded AES key of f3544c085656c997 and IV of 4fcff6864c594343 are used. These values are ASCII encoded.
Communications are in the form of HTTP POST requests with varying parameters and values.
| Parameter | Data | Usage |
| Fu | integer | File unique id |
| P | string,base64 encoded | File path |
| Im | integer | Last modified time |
| D | bytes, base64. In some cases encrypted and zipped | Primary data field, format depends on task. audio data is encoded as amr_nb packets |
| T | string, plaintext, eg ‘MOBILE’ | Network type |
| St | string, plaintext, eg ‘HSPA’ | Network subtype |
| sk | string, plaintext | SHA-1 of AES key |
| di | json string, base64, AES, gzip | Device info |
| dt | integer | Unix timestamp |
| cfu | unknown | Unknown |
| gfu | unknown | Unknown |
| S | string, plaintext | SHA-1 of AES key |
| gd | unknown | Unknown |
| V | integer | Malware version |
| uid | string | Unique victim id format is…. |
| gd | unknown | Unknown |
| message | Json | Contains java stack trace in error reporting |
Commands are requested by the C2 server, and sent back in cleartext json under base64 encoding:
- {“commands”:[], “commands_data”:[],”settings”:[]}
Indicators of compromise
The following indicators of compromise can be used to detect Corrupt Kitten activity:
| File Signature (As Name) | |
| Network Signature (Upstream, Combined HTTP request properties) | POST request
Content-Length: 6691 (artificat of data chunk size, encoding and other parameters). All of the following POST parameter names: s, fu, p, Im, d |
| Network Signature (Downstream, empty response to request for new tasking) | eyJjb21tYW5kcyl6W10slmNvbW1hbmRzX2RhdGEiOltdLCJzZXR0aW5ncyl6W10slnZlcnNpb24iOjV9 |
| Network Signature (‘sk’ parameter for known AES key) | dd8b9bf8f4d2243a20bc8a0e3446d69a1fd3786c |
| URL http://hardship-management.com:4373 | 0ab74c36977632a8dc517fb0c8c95189 |