Iran Cyber News Agency was previously able to reveal the discovery of new malware targeting Iranian citizens. In the interests of protecting innocent citizens from further attacks we can reveal more of the technical specifications of the malware and how it is used. The information was contributed by our source who for his security does not want his name to be published. ICNA Admin.

This malware is a beaconing, taskable implant. It uses Hyper Text Transfer Protocol (HTTP) based communication. The C2 server hosts what appears to be a fake website called “Pine State Flowers”. The domian name does not relate to the content of the site and the version we are looking at is version number 5. We also know from the database on the server hosting the domain that version 1 to 4 were aso used.

The analysis was a DEX (Dalvik Executable, a component file of an android application) file attached to an unknown Android APK (an android application). The MD5 hash of the DEX file is 0ab74c36977632a8dc517fb0c8c95189.

The implant which manages a SQLite database which it uses to hold all of the implant state including queued commands and information about the results of those commands. This database acts as a nexus for inter-communication between the different asynchronous modules of the implant.

Commands are requested by a beacon module then placed into the commands table. A dispatcher removes rows from the command table and examining the ‘name’ field, creates a new instance of the relevant task by name. Tasks are runnable java objects and exist in their own thread, upon completion, the task object writes its results to disk with an accompanying entry into the data table. Finally an exfiltration module reads the data table and uploads results to infrastructure.

Files ready for exfiltration are stored in either of the two directories device:

  • /storage/emulated/0/.data_gsc98647a3/
  • /storage/emulated/0/Andorid/.data_gsc98647a3/

The directory name is hardcoded and is not a runtime-generated or random string. In many cases the data is stored using an AES-128-CBC hardcoded key and IV.

Corrupt Kitten supports a full rnage of spying and device management capability. Commands and their resutls are stroed in the above SQLite tables at various stages of their dispatch. The specific task is indicated by the name field in all of the tables, with a value taken from the table below. The ‘exfiltration indicator’ column is the first 16 characters of the SHA-1 hash of the command name. This value is included in the data exfiltration HTTP requests to indicate the command for which the data corresponds.

Name Exfiltration Number Task Description
apps_list 8f3be153969c9aa6  List installed apps.
browser_history 56f4befcfa372f61 Upload browser history
call_number 8b9df28139b454a9
calls_log_incoming d4d5231bef6126e8 List recieved calls
calls_log_missed 46f2dbefa9720460 List missed calls
calls_log_outgoing a4efe3347d23277c List calls made
calls_recorder e7726cbe08d9659f Record voice calls
camera_list 608b155f62c6c1b4 Enumerate image capture devices
contacts 9db49a59249eefb6 List stored contacts
device_info 34d58e358ce6f6c8 Basic device and software info
directory_list df0f6e126aaa7f10
error_list 41ad8be6d52578e0  Upload any errors logged by any other commands
file_delete 922e797471f4ba60  Delete a file
file_download 2a8cc636df3df9b8 Download a file to victim
file_list 0d4a23c7f51b588e List files in covert storage
file_upload cfd82bcb40eef62d Upload a file from victim
live_stream 66d94e991e567a62  Live screen recording
location_gps 0833b18e25e64e42 device location, GPS based
location_gsm 3187d46fc0eca417 Device location, cell tower based
network_activity cb427b6ab37d2df6
network_speed 5f199ca6dc7c3d64
network_state 357443daf3d17473 Connectivity state (GSM/WiFi)
off_bluetooth e73d159feaa06fa1 Toggel Bluetooth off
off_data de4e691bfe0e4915 Toggle data off
off_wifi cdf0e953385891d7  Toggle Wifi off
on_bluetooth 1d92dfb895429a27  Toggle bluetooth device on
on_data b2a51f869599157b Toggle mobile data on
on_wfii  0717a22ec8f04949 Toggle Wifi device on
picture_take 5a0f66c8648bd121 Take a picture using a capture device
screen_state 7c3412627241e1c3 Return whether screen is on or off
sim_card 6cd9c5d08fc6f34d Get detailed sim card information
sms_drafts fc64df0c3c72954a List SMS drafts
sms_inbox 9f3d6768e601e1ac List SMS inbox
sms_outbox 073fb2c5ce013bcc List SMS outbox
sms_send  3d0226299ebe4e8d Send an SMS message
sound_recorder c2cc53c99fb858a9 Record sound
storage_activity b502a71ef356e559
video_recorder be2b031af63496f2 Record video now

Communications are sent to a hardcoded infrastructure URL The communications are protected by a process of comrpession via gzip, then AES-128-cbc encryption and then base64 encoded. A hardcoded AES key of f3544c085656c997 and IV of 4fcff6864c594343 are used. These values are ASCII encoded.

Communications are in the form of HTTP POST requests with varying parameters and values.

Parameter Data Usage
Fu integer File unique id
P string,base64 encoded File path
Im integer Last modified time
D bytes, base64. In some cases encrypted and zipped Primary data field, format depends on task. audio data is encoded as amr_nb packets
T string, plaintext, eg ‘MOBILE’ Network type
St string, plaintext, eg ‘HSPA’ Network subtype
sk string, plaintext SHA-1 of AES key
di json string, base64, AES, gzip Device info
dt integer Unix timestamp
cfu unknown Unknown
gfu unknown Unknown
S string, plaintext SHA-1 of AES key
gd unknown Unknown
V integer Malware version
uid string Unique victim id format is….
gd unknown Unknown
message Json Contains java stack trace in error reporting

Commands are requested by the C2 server, and sent back in cleartext json under base64 encoding:

  • {“commands”:[], “commands_data”:[],”settings”:[]}

Indicators of compromise

The following indicators of compromise can be used to detect Corrupt Kitten activity:

File Signature (As Name)
Network Signature (Upstream, Combined HTTP request properties) POST request

Content-Length: 6691 (artificat of data chunk size, encoding and other parameters). All of the following POST parameter names: s, fu, p, Im, d

Network Signature (Downstream, empty response to request for new tasking) eyJjb21tYW5kcyl6W10slmNvbW1hbmRzX2RhdGEiOltdLCJzZXR0aW5ncyl6W10slnZlcnNpb24iOjV9
Network Signature (‘sk’ parameter for known AES key) dd8b9bf8f4d2243a20bc8a0e3446d69a1fd3786c
URL 0ab74c36977632a8dc517fb0c8c95189

Leave a Reply

Your email address will not be published. Required fields are marked *