Threat Research

IMPERIAL KITTEN Deploys Novel Malware Families

Securonix

Imperial Kitten, an Iran-linked threat actor likely tied to the IRGC, conducted strategic web compromise operations and used novel malware families (e.g., IMAPLoader, StandardKeyboard) to target transportation, logistics, and technology sectors. CrowdStrike Intelligence links continued use of email-based C2, SWC infrastructure, and multiple TTPs across initial access, lateral movement, and data exfiltration. #ImperialKitten #IMAPLoader #StandardKeyboard #Liderc #IRGC

Keypoints

  • Imperial Kitten is an Iran-nexus adversary, likely connected to the IRGC, active since 2017 with a focus on Middle Eastern and Israeli sectors and industries such as defense, technology, maritime, and energy.
  • Between early 2022 and 2023, Imperial Kitten conducted SWC operations against transportation, logistics, and technology organizations, luring victims to adversary-controlled sites.
  • Initial access methods include public one-day exploits, stolen VPN credentials, SQL injection, publicly available scanning tools, and phishing delivering malicious documents.
  • Phishing deliveries abuse macro-enabled Excel documents that drop a Python-based backdoor; the payloads include persistence via registry Run keys and backdoor beacons to a hardcoded C2.
  • Adversary tooling includes IMAPLoader and StandardKeyboard (both using email for C2) and a Discord-based RAT; lateral movement reportedly uses PAExec, NetScan, ProcDump, and MeshAgent for data exfiltration.
  • CrowdStrike notes a history of adversary-controlled domains and SWC infrastructure, with multiple malware families evolving to use email-based C2 and various C2 channels (including Discord).
  • The assessment links Imperial Kitten’s activity to SWC infrastructure and overlapping tooling with other campaigns (e.g., SUGARRUSH) and cautions about low-confidence attribution based on limited corroboration.

MITRE Techniques

  • [T1590.005] Gather Victim Network Information – beacons the victims public IP address obtained via a web service. “IMAPLoader beacons the victims public IP address obtained via a web service”
  • [T1584.006] Compromise Infrastructure: Web Services – SWC is mostly based on compromised websites. “SWC is mostly based on compromised websites”
  • [T1189] Drive-by Compromise – IMPERIAL KITTEN distributes malware through SWC. “IMPERIAL KITTEN distributes malware through SWC”
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – IMAPLoader collects system information via cmd.exe scripts. “IMAPLoader collects system information via cmd.exe scripts”
  • [T1059.005] Command and Scripting Interpreter: Visual Basic – Python backconnect shell via malicious visual basic scripts in Excel documents. “malicious visual basic scripts in Excel documents”
  • [T1059.006] Command and Scripting Interpreter: Python – Malicious Excel documents drop Python-based backconnect shell. “Python-based backconnect shell”
  • [T1037.005] Boot or Logon Initialization Scripts: Startup Items – IMAPLoader persists through the registry Run key. “persists through the registry Run key”
  • [T1055] Process Injection – IMAPLoader executes via AppDomainManager injection. “AppDomainManager injection”
  • [T1140] Deobfuscate/Decode Files or Information – IMAPLoader and SUGARRUSH obfuscate C2 addresses via integer arrays. “obfuscate C2 addresses via integer arrays”
  • [T1518.001] Software Discovery: Security Software Discovery – IMAPLoader enumerates installed antivirus software. “enumerates installed antivirus software”
  • [T1005] Data from Local System – IMAPLoader beacons local system configuration and username to C2. “beacon local system configuration and username to C2”
  • [T1071.003] Application Layer Protocol: Mail Protocols – IMAPLoader, StandardKeyboard and SUGARRUSH utilize email for C2. “utilize email for C2”
  • [T1095] Non-Application Layer Protocol – The Python-based backconnect shell relies on raw sockets for communication. “raw sockets for communication”
  • [T1041] Exfiltration Over C2 Channel – All malware exfiltrate data directly over the C2 protocol. “exfiltrate data directly over the C2 protocol”

Indicators of Compromise

  • [IP Addresses] – 146.185.219.220, 193.182.144.12, and other IPs in the IMPERIAL KITTEN infrastructure table
  • [Domains] – cdn.jguery.org, cdn-analytics.co, and other adversary-controlled domains used for redirects
  • [Email Addresses] – [email protected], [email protected]
  • [SHA256 Hash] – 989373f2d295ba1b8750fee7cdc54820aa0cb42321cec269271f0020fa5ea006, fa54988c11aa1109ff64a2ab7a7e0eeec8e4635e96f6c30950f4fbdcd2bba336
  • [File Names] – runable.bat, tool.bat (and other files used in macro drop)
  • [C2 Domain/Email] – imap.yandex.com (TLS IMAP C2 channel) and related C2 addresses embedded in malware

Read more: https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint