Skip to content

G0117 Fox Kitten

Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. Fox Kitten has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.3542

Item Value
ID G0117
Associated Names UNC757, Parisite, Pioneer Kitten
Version 1.1
Created 21 December 2020
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
UNC757 15
Parisite 435
Pioneer Kitten 51

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Fox Kitten has accessed ntuser.dat and UserClass.dat on compromised hosts.1
enterprise T1087.002 Domain Account Fox Kitten has used the Softerra LDAP browser to browse documentation on service accounts.1
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility Fox Kitten has used 7-Zip to archive data.1
enterprise T1217 Browser Information Discovery Fox Kitten has used Google Chrome bookmarks to identify internal resources and assets.1
enterprise T1110 Brute Force Fox Kitten has brute forced RDP credentials.2
enterprise T1059 Command and Scripting Interpreter Fox Kitten has used a Perl reverse shell to communicate with C2.2
enterprise T1059.001 PowerShell Fox Kitten has used PowerShell scripts to access credential data.1
enterprise T1059.003 Windows Command Shell Fox Kitten has used cmd.exe likely as a password changing mechanism.1
enterprise T1136 Create Account -
enterprise T1136.001 Local Account Fox Kitten has created a local user account with administrator privileges.2
enterprise T1555 Credentials from Password Stores -
enterprise T1555.005 Password Managers Fox Kitten has used scripts to access credential information from the KeePass database.1
enterprise T1530 Data from Cloud Storage Fox Kitten has obtained files from the victim’s cloud storage instances.1
enterprise T1213 Data from Information Repositories Fox Kitten has accessed victim security and IT environments and Microsoft Teams to mine valuable information.1
enterprise T1005 Data from Local System Fox Kitten has searched local system resources to access sensitive documents.1
enterprise T1039 Data from Network Shared Drive Fox Kitten has searched network shares to access sensitive documents.1
enterprise T1585 Establish Accounts Fox Kitten has created KeyBase accounts to communicate with ransomware victims.26
enterprise T1585.001 Social Media Accounts Fox Kitten has used a Twitter account to communicate with ransomware victims.2
enterprise T1546 Event Triggered Execution -
enterprise T1546.008 Accessibility Features Fox Kitten has used sticky keys to launch a command prompt.1
enterprise T1190 Exploit Public-Facing Application Fox Kitten has exploited known vulnerabilities in Fortinet, PulseSecure, and Palo Alto VPN appliances.34512
enterprise T1210 Exploitation of Remote Services Fox Kitten has exploited known vulnerabilities in remote services including RDP.352
enterprise T1083 File and Directory Discovery Fox Kitten has used WizTree to obtain network files and directory listings.1
enterprise T1105 Ingress Tool Transfer Fox Kitten has downloaded additional tools including PsExec directly to endpoints.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Fox Kitten has named the task for a reverse proxy lpupdate to appear legitimate.1
enterprise T1036.005 Match Legitimate Name or Location Fox Kitten has named binaries and configuration files svhost and dllhost respectively to appear legitimate.1
enterprise T1046 Network Service Discovery Fox Kitten has used tools including NMAP to conduct broad scanning to identify open ports.12
enterprise T1027 Obfuscated Files or Information Fox Kitten has base64 encoded payloads to avoid detection.1
enterprise T1027.010 Command Obfuscation Fox Kitten has base64 encoded scripts to avoid detection.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Fox Kitten has used prodump to dump credentials from LSASS.1
enterprise T1003.003 NTDS Fox Kitten has used Volume Shadow Copy to access credential information from NTDS.1
enterprise T1572 Protocol Tunneling Fox Kitten has used protocol tunneling for communication and RDP activity on compromised hosts through the use of open source tools such as Ngrok and custom tool SSHMinion.512
enterprise T1090 Proxy Fox Kitten has used the open source reverse proxy tools including FRPC and Go Proxy to establish connections from C2 to local servers.126
enterprise T1012 Query Registry Fox Kitten has accessed Registry hives ntuser.dat and UserClass.dat.1
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Fox Kitten has used RDP to log in and move laterally in the target environment.12
enterprise T1021.002 SMB/Windows Admin Shares Fox Kitten has used valid accounts to access SMB shares.1
enterprise T1021.004 SSH Fox Kitten has used the PuTTY and Plink tools for lateral movement.1
enterprise T1021.005 VNC Fox Kitten has installed TightVNC server and client on compromised servers and endpoints for lateral movement.1
enterprise T1018 Remote System Discovery Fox Kitten has used Angry IP Scanner to detect remote systems.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Fox Kitten has used Scheduled Tasks for persistence and to load and execute a reverse proxy binary.12
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell Fox Kitten has installed web shells on compromised hosts to maintain access.12
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files Fox Kitten has accessed files to gain valid credentials.1
enterprise T1078 Valid Accounts Fox Kitten has used valid credentials with various services during lateral movement.1
enterprise T1102 Web Service Fox Kitten has used Amazon Web Services to host C2.2

Software

ID Name References Techniques
S0020 China Chopper 1 Web Protocols:Application Layer Protocol Password Guessing:Brute Force Windows Command Shell:Command and Scripting Interpreter Data from Local System File and Directory Discovery Timestomp:Indicator Removal Ingress Tool Transfer Network Service Discovery Software Packing:Obfuscated Files or Information Web Shell:Server Software Component
S0508 Ngrok 5 Domain Generation Algorithms:Dynamic Resolution Exfiltration Over Web Service Protocol Tunneling Proxy Web Service
S0556 Pay2Key 36 Data Encrypted for Impact Asymmetric Cryptography:Encrypted Channel File Deletion:Indicator Removal Non-Application Layer Protocol Internal Proxy:Proxy Service Stop System Information Discovery System Network Configuration Discovery
S0029 PsExec 16 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services

References