Iran-affiliated threat group Imperial Kitten has been targeting Israeli organizations in the transportation, logistics, and technology sectors in the wake of the Israel-Hamas conflict, according to CrowdStrike.
The company’s Counter Adversary Operations investigated a series of cyber-attacks and strategic web compromise (SWC) operations that occurred in October 2023, with a particular focus on Israeli organizations.
CrowdStrike attributed these activities to Imperial Kitten, a group it said “likely fulfills Iranian strategic intelligence requirements associated with the Islamic Revolutionary Guard Corps (IRGC) operations.”
The researchers noted that the targeting of transportation, maritime and technology organizations in Israel is consistent with Imperial Kitten’s previous activities. In May 2023, cybersecurity experts at ClearSky discovered a sophisticated watering hole attack targeting multiple Israeli websites, which it attributed to Imperial Kitten.
The new CrowdStrike research also identified a range of adversary-controlled domains that have served as redirect locations from compromised, primarily Israeli, websites.
Imperial Kitten’s Tactics, Techniques and Procedures
The CrowdStrike blog said there is evidence that Imperial Kitten targets organizations like upstream IT service providers to identify and gain access to targets that are of primary interest for data exfiltration.
Industry and CrowdStrike intelligence have identified a malware family tracked as IMAPLoader, which is believed to be used by Imperial Kitten as the final payload of its SWC operations.
The IMAPLoader malware family is distributed as a dynamic link library (DLL), and loaded via AppDomainManager injection. It uses email for command-and-control (C2) and is configured via static email addresses embedded in the malware.
IMAPLoader also uses attachments in email messages to receive tasking and send replies.
The researchers added that typographical errors in embedded folder names and log messages indicate the author is not a native English speaker.
Another malware family thought to be deployed by Imperial Kitten is named StandardKeyboard. This shares many characteristics IMAPLoader, with its main purpose to execute Base64-encoded commands received in the email body.
Evidence suggests Imperial Kitten achieves lateral movement through the use of open-source PsExec alternative, PAExec, NetScan, and uses ProcDump to dump the LSASS process memory for credential harvesting prior to deploying malware.
The researchers highlighted a range of initial access techniques it believes are used by the threat group:
- Use of public one-day exploits
- Use of stolen credentials to access VPN appliances
- SQL injection
- Use of publicly available scanning tools, such as nmap
- Use of phishing to deliver malicious documents