1. Home
  2. Groups
  3. CopyKittens

CopyKittens

CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.[1][2][3]

ID: G0052
Version: 1.6
Created: 16 January 2018
Last Modified: 08 August 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1090 代理

CopyKittens has used the AirVPN service for operational activity.[4]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

CopyKittens has used PowerShell Empire.[2]
Enterprise T1560 .001 归档收集数据: Archive via Utility

CopyKittens uses ZPP, a .NET console program, to compress files with ZIP.[2]
.003 归档收集数据: Archive via Custom Method

CopyKittens encrypts data with a substitute cipher prior to exfiltration.[3]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

CopyKittens uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode.[2]
Enterprise T1588 .002 获取能力: Tool

CopyKittens has used Metasploit, Empire, and AirVPN for post-exploitation activities.[5][4]
Enterprise T1564 .003 隐藏伪装: Hidden Window

CopyKittens has used -w hidden and -windowstyle hidden to conceal PowerShell windows. [2]
Enterprise T1553 .002 颠覆信任控制: Code Signing

CopyKittens digitally signed an executable with a stolen certificate from legitimate company AI Squared.[2]

Software

ID Name References Techniques
S0154 Cobalt Strike [2] BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S0363 Empire [2] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 事件触发执行: Accessibility Features, 从密码存储中获取凭证: Credentials from Web Browsers, 使用备用认证材料: Pass the Hash, 创建或修改系统进程: Windows Service, 创建账户: Local Account, 创建账户: Domain Account, 剪贴板数据, 加密通道: Asymmetric Cryptography, 劫持执行流: Path Interception by Unquoted Path, 劫持执行流: Path Interception by Search Order Hijacking, 劫持执行流: Path Interception by PATH Environment Variable, 劫持执行流: Dylib Hijacking, 劫持执行流: DLL Search Order Hijacking, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Security Support Provider, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Shortcut Modification, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器, 域信任发现, 域或租户策略修改: Group Policy Modification, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据, 操作系统凭证转储: LSASS Memory, 文件和目录发现, 未加密凭证: Credentials In Files, 未加密凭证: Private Keys, 本机API, 权限提升漏洞利用, 浏览器信息发现, 混淆文件或信息: Command Obfuscation, 滥用权限提升控制机制: Bypass User Account Control, 电子邮件收集: Local Email Collection, 移除指标: Timestomp, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统网络连接发现, 系统网络配置发现, 组策略发现, 网络共享发现, 网络嗅探, 网络服务: Bidirectional Communication, 网络服务发现, 自动化收集, 自动化渗出, 视频捕获, 访问令牌操控: SID-History Injection, 访问令牌操控, 访问令牌操控: Create Process with Token, 账号发现: Domain Account, 账号发现: Local Account, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 输入捕获: Credential API Hooking, 进程发现, 进程注入, 远程服务: Distributed Component Object Model, 远程服务: SSH, 远程服务漏洞利用, 通过C2信道渗出, 通过网络服务渗出: Exfiltration to Code Repository, 通过网络服务渗出: Exfiltration to Cloud Storage, 预定任务/作业: Scheduled Task
S0167 Matryoshka [2] 从密码存储中获取凭证, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器, 屏幕捕获, 应用层协议: DNS, 混淆文件或信息, 系统二进制代理执行: Rundll32, 输入捕获: Keylogging, 进程注入: Dynamic-link Library Injection, 预定任务/作业: Scheduled Task
S0164 TDTESS [2] 创建或修改系统进程: Windows Service, 命令与脚本解释器: Windows Command Shell, 移除指标: File Deletion, 移除指标: Timestomp, 输入工具传输

References

  1. ClearSky Cyber Security. (2017, March 30). Jerusalem Post and other Israeli websites compromised by Iranian threat agent CopyKitten. Retrieved August 21, 2017.
  2. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  3. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  1. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
  2. ClearSky and Trend Micro. (2017, July). Operation Wilted Tulip - Exposing a cyber espionage apparatus. Retrieved May 17, 2021.