Fox Kitten

Fox Kitten is an Iran-based threat actor tracked under aliases including Pioneer Kitten, Rubidium, Lemon Sandstorm, UNC757, PARISITE, and BR0k3R. Reporting in the provided content states the group has targeted U.S. organizations since 2017, including U.S. federal agencies and organizations in the information technology, government, healthcare, financial, insurance, media, education, and defense sectors, and has also targeted organizations in Israel, Azerbaijan, and the United Arab Emirates. The content describes the actor as Iranian government-linked or aligned with Iranian government interests, while also noting financial motivations and collaboration with ransomware affiliates. According to the provided reporting, Fox Kitten commonly gains initial access by mass-scanning internet-facing systems and exploiting known vulnerabilities in edge infrastructure, including Pulse Secure VPN, Citrix NetScaler, F5 BIG-IP, Check Point, Palo Alto Networks, and Ivanti products. Specific vulnerabilities mentioned in the content include CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, CVE-2020-5902, CVE-2022-1388, CVE-2023-3519, CVE-2024-24919, and CVE-2024-3400. The actor has used Nmap and Shodan to identify vulnerable systems and open ports. Post-compromise, Fox Kitten has been described as obtaining administrator-level credentials, installing web shells, and maintaining access for months. Persistence and remote access mechanisms mentioned in the content include web shells such as ChunkyTuna, Tiny, and China Chopper; scheduled tasks and cron jobs; FRPC, Chisel, and ngrok for tunneling; and reverse proxy tooling. The actor renamed FRPC binaries and configuration files to svhost/svchost and dllhost/dllhost.dll to appear legitimate. The content also states Fox Kitten used scheduled tasks for persistence and to load and execute a reverse proxy binary, used cmd.exe likely as a password changing mechanism, and used sticky keys via sethc.exe to launch cmd.exe. The group’s discovery and collection activity in the content includes use of Angry IP Scanner to detect remote systems, WizTree to obtain network file and directory listings, Softerra LDAP Browser to browse documentation on service accounts, Google Chrome bookmarks to identify internal resources and assets, and searches of local system resources to access sensitive documents. The content also states Fox Kitten accessed files to gain valid credentials, used PowerShell scripts to access credential data, accessed the ntuser.dat and UserClass.dat registry hives, and used a Perl reverse shell to communicate with command-and-control infrastructure. Base64-encoded payloads are also explicitly mentioned as a detection-evasion measure. For credential access and lateral movement, the provided content states Fox Kitten used procdump to dump LSASS memory, used Volume Shadow Copy to access NTDS credential data, repeatedly accessed a KeePass database using a PowerShell script, exfiltrated a Kerberos ticket from a NetScaler device to gain access to a domain account, and moved laterally using RDP, PsExec, SMB shares, Plink, PuTTY, and TightVNC. The actor likely hijacked legitimate RDP sessions. The content further states the group collected data from local systems, network shared drives, Microsoft Teams, and cloud storage, and used 7-Zip to archive collected data. The reporting provided also states Fox Kitten has sold or shared access to compromised infrastructure with ransomware operators and has coordinated with affiliates of NoEscape, Ransomhouse, and AlphV. The same Iranian actors were also tied in the content to the 2020 Pay2Key ransomware operation. The content notes the actor has used victim cloud resources and prior compromises to support additional attacks and that U.S. agencies assess the group likely has the capability and intent to deploy ransomware.