CopyKittens

CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip. [1] [2] [3]

ID: G0052
Version: 1.3
Created: 16 January 2018
Last Modified: 31 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

CopyKittens uses ZPP, a .NET console program, to compress files with ZIP.[2]

.003 Archive Collected Data: Archive via Custom Method

CopyKittens encrypts data with a substitute cipher prior to exfiltration.[3]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

CopyKittens has used PowerShell Empire.[2]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

CopyKittens has used -w hidden and -windowstyle hidden to conceal PowerShell windows. [2]

Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

CopyKittens uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode.[2]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

CopyKittens digitally signed an executable with a stolen certificate from legitimate company AI Squared.[2]

Software

ID Name References Techniques
S0154 Cobalt Strike

[2]

Abuse Elevation Control Mechanism: Bypass User Access Control, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Make and Impersonate Token, Application Layer Protocol, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, BITS Jobs, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Python, Commonly Used Port, Create or Modify System Process: Windows Service, Data from Local System, Exploitation for Privilege Escalation, Indicator Removal on Host: Timestomp, Input Capture: Keylogging, Man in the Browser, Multiband Communication, Native API, Network Service Scanning, Network Share Discovery, Obfuscated Files or Information: Indicator Removal from Tools, OS Credential Dumping: Security Account Manager, Process Discovery, Process Injection, Process Injection: Process Hollowing, Protocol Tunneling, Proxy: Internal Proxy, Remote Services: SMB/Windows Admin Shares, Remote Services: Windows Remote Management, Remote Services: SSH, Remote Services: Remote Desktop Protocol, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Local Accounts, Valid Accounts: Domain Accounts, Windows Management Instrumentation
S0363 Empire

[2]

Abuse Elevation Control Mechanism: Bypass User Access Control, Access Token Manipulation: Create Process with Token, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Account Discovery: Domain Account, Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Bookmark Discovery, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Command and Scripting Interpreter: PowerShell, Commonly Used Port, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exfiltration Over Web Service: Exfiltration to Code Repository, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Modification, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by Unquoted Path, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Native API, Network Service Scanning, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0164 TDTESS

[2]

Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Indicator Removal on Host: Timestomp, Indicator Removal on Host: File Deletion, Ingress Tool Transfer

References