Rampant Kitten APT

The Rampant Kitten APT is a threat actor typically associated with spyware-based attacks against opponents of the Islamic Republic of Iran. This group uses heavily-customized spyware for collecting credentials such as Telegram logins, which it supplements with other tools and infrastructure, such as phishing websites. Users should monitor both PCs and other devices for possible security breaches and allow anti-malware tools leeway for removing any threats associated with the Rampant Kitten APT.

A Tiny Cat with an Over-sized Taste for Private Data

Most Advanced Persistent Threats (APT), inevitably, give signs of their political leanings within their many campaigns. Although direct attributions to government endorsement tend to be rare, whether or not it's made evident in the tangible evidence, many APTs end up furthering the aims of various government (or anti-government) entities. Despite its touching name, the Rampant Kitten APT is one such example: a group of hackers with a particular bent towards stealing information from anti-Iranian organizations.

Elements suggestive of this targeting focus from the Rampant Kitten APT include their attacks against Persian speakers living abroad and corrupted documents with themes linked to the Revolutionary Cannons. These attacks are sufficiently sophisticated in technique, such as using customized Trojans with clever obfuscation and narrow targeting methods, that the hackers have evaded detection for over half a decade. The focal point for plunder is sensitive data, including:

• Credentials for the Telegram messaging service
• KeePass account information and passwords
• SMS messaging content (including any two-factor authentication codes)
• Audio phone conversations
• Gmail credentials

Examples of some of the Rampant Kitten APT's tools include TelAndExt and TelB (both of which target Telegram, albeit in separate deployments) and the browser spyware and keylogger, HookInjEx. Malware experts emphasize that these attackers compromise multiple device types and environments, including Android phones and desktop computers.

Putting Down a Trojan Wild Cat

Although their customized Trojans and spyware arsenal evade general threat-detecting heuristics effectively, the Rampant Kitten APT's campaigns possess the same vulnerabilities as those of similar attacks. Many infection vectors connected to the group require mistakes from the victim, such as following an SMS link to an unsafe phishing site or opening a macro-using document. Disabling macros and updating word processor software can cut out many drive-by-download exploits inside of documents. Users also can scrutinize Web addresses for typos and similar indicators of schemes or phishing attacks.

The multi-device focus of the Rampant Kitten APT makes for potentially far-ranging consequences of infections. Victims of attacks should disable network connectivity as appropriate and change all compromised passwords and other account credentials, such as security questions' answers. The threat actor may use compromised accounts for sending additional attacks as disguised social messaging content to further targets.

Properly-maintained anti-malware services also should block many Trojan-installing exploits and disinfect devices and remove most threats related to the Rampant Kitten APT appropriately. However, they cannot reverse any loss of collected credentials or other data, which is a near-inevitability in any successful attack by this group.

With fake Telegram bots, domains imitating dissident movements, and attacks that filter victims through their preferred messaging software, the Rampant Kitten APT has many powerful tools at its disposal. The reality that unpopular political opinions and actions can come with undesirable consequences is inescapable, even over the Web.