The doc attachment contacts a link, exploiting the Equation Editor vulnerability, and downloads an exe: the malware. Data is then exfiltered via SMTP to an email address.
Domestic Kitten spy Iranian citizens with FurBall. ESET: It’s a new version of the Android malware
Domestic Kitten, aka APT-C-50, is spying Iranian citizens with a new version of the Android malware FurBall. ESET cybersecurity experts discovered it. Probably the goal is to understand which are the people most involved in the protests for the death of Mahsa Amini. This version of FurBall has the same surveillance functionality as previous ones; however, the cyber espionage actors slightly obfuscated class and method names, strings, logs, and server URIs. This update required small changes on the C&C server as well – precisely, names of server-side PHP scripts. Since the functionality of this variant hasn’t changed, the main purpose of this update appears to be to avoid detection by security software.
The cybersecurity experts: Maybe it’s a prelude of a spearphishing attack via text messages
However, according the cybersecurity experts, the analyzed sample requests only one intrusive permission – to access contacts. The reason could be the aim of Domestic Kitten’s Furball to stay under the radar; on the other hand, researchers believe it might signal it is just the preceding phase, of a spear phishing attack conducted via text messages. If the cyber espionage actor expands the app permissions, it would also be capable of exfiltrating other types of data from affected phones, such as SMS messages, device location, recorded phone calls, and much more.