Skip to content

G0052 CopyKittens

CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.213

Item Value
ID G0052
Associated Names
Version 1.6
Created 16 January 2018
Last Modified 08 August 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility CopyKittens uses ZPP, a .NET console program, to compress files with ZIP.1
enterprise T1560.003 Archive via Custom Method CopyKittens encrypts data with a substitute cipher prior to exfiltration.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell CopyKittens has used PowerShell Empire.1
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window CopyKittens has used -w hidden and -windowstyle hidden to conceal PowerShell windows. 1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool CopyKittens has used Metasploit, Empire, and AirVPN for post-exploitation activities.45
enterprise T1090 Proxy CopyKittens has used the AirVPN service for operational activity.5
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing CopyKittens digitally signed an executable with a stolen certificate from legitimate company AI Squared.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 CopyKittens uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode.1

Software

ID Name References Techniques
S0154 Cobalt Strike 1 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Domain Account:Account Discovery Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Application Layer Protocol BITS Jobs Browser Session Hijacking Visual Basic:Command and Scripting Interpreter Python:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Process Hollowing:Process Injection Process Injection Dynamic-link Library Injection:Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services SSH:Remote Services Remote Desktop Protocol:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0363 Empire 1 Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation SID-History Injection:Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Command and Scripting Interpreter Domain Account:Create Account Local Account:Create Account Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Code Repository:Exfiltration Over Web Service Exfiltration to Cloud Storage:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Search Order Hijacking:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0167 Matryoshka 1 DNS:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Command and Scripting Interpreter Credentials from Password Stores Keylogging:Input Capture Obfuscated Files or Information Dynamic-link Library Injection:Process Injection Scheduled Task:Scheduled Task/Job Screen Capture Rundll32:System Binary Proxy Execution
S0164 TDTESS 1 Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Timestomp:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer

References

  1. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. 

  2. ClearSky Cyber Security. (2017, March 30). Jerusalem Post and other Israeli websites compromised by Iranian threat agent CopyKitten. Retrieved August 21, 2017. 

  3. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017. 

  4. ClearSky and Trend Micro. (2017, July). Operation Wilted Tulip - Exposing a cyber espionage apparatus. Retrieved May 17, 2021. 

  5. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.