This article discusses the use of Validin to enhance threat intelligence based on a recent Mandiant report on APT42, an Iranian state-sponsored cyber espionage group. The report includes various domains that pose as legitimate services to assist in credential harvesting and malware deployment. The Validin platform helps in discovering related indicators and potential threat actor infrastructure. Affected: APT42, Iranian state-sponsored cyber espionage, cybersecurity infrastructure
Keypoints :
- Mandiant published a threat report on May 1, 2024, detailing APT42βs activities.
- The report lists 148 malicious domains identified through Virus Total.
- APT42 uses fake sites to harvest credentials and deploy malware.
- Validinβs platform allows bulk analysis and helps discover related infrastructure.
- The first round of analysis revealed multiple related domains and anomalous hosting patterns.
- New domains and IP addresses were identified through extensive DNS history analysis.
- Validin facilitates quick enrichment and validation processes for threat intelligence.
MITRE Techniques :
- Credential Dumping (T1003) β APT42 impersonates legitimate services to harvest user credentials.
- Phishing (T1566) β The use of fake logins and services that imitate known platforms to deceive users.
- Command and Control (T1071) β Utilization of domains and infrastructure for command and control purposes.
Indicator of Compromise :
- [Domain] permission-data.online
- [IP Address] 135.181.203[.]1
- [Domain] elated-supportive-exultation[.]top
- [IP Address] 94.131.11[.]228
- [Domain] confirm-validation.mywire[.]org
Full Story: https://www.validin.com/blog/expanding-apt42-intelligence-with-validin/