G0137 Ferocious Kitten
Ferocious Kitten is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.1
| Item | Value |
|---|---|
| ID | G0137 |
| Associated Names | |
| Version | 1.0 |
| Created | 28 September 2021 |
| Last Modified | 25 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.001 | Domains | Ferocious Kitten has acquired domains imitating legitimate sites.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.002 | Right-to-Left Override | Ferocious Kitten has used right-to-left override to reverse executables’ names to make them appear to have different file extensions, rather than their real ones.1 |
| enterprise | T1036.005 | Match Legitimate Name or Location | Ferocious Kitten has named malicious files update.exe and loaded them into the compromise host’s “Public” folder.1 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | Ferocious Kitten has obtained open source tools for its operations, including JsonCPP and Psiphon.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Ferocious Kitten has conducted spearphishing campaigns containing malicious documents to lure victims to open the attachments.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Ferocious Kitten has attempted to convince victims to enable malicious content within a spearphishing email by including an odd decoy message.1 |