Threat Research

APT Profile: APT42 – Cyfirma

Cyfirma

APT42 is an Iranian state-sponsored espionage group focused on information collection and surveillance against targets of strategic interest to Iran, active since at least 2015. They rely on targeted spear phishing and mobile malware to gain access and exfiltrate data, adapting their focus as Iran’s priorities shift. #APT42 #MintSandstorm #YellowGaruda #TA453 #NICECURL #TAMECAT #NokNok #WashingtonPost #Economist #CVE-2023-38831

Keypoints

  • Group Name: APT42 (Mint Sandstorm, TA453, Yellow Garuda)
  • Motivation: Espionage
  • Targeted Countries: USA, Canada, UK, Germany, France, Middle East, Australia
  • Active Since: At least 2015
  • Techniques Used: Spear phishing, mobile malware deployment
  • Recent Campaigns: Targeting organizations opposing Iran through social engineering and credential harvesting
  • Notable Malware: NICECURL, TAMECAT

MITRE Techniques

  • [T1595.002] Reconnaissance – Brief description: Gathering information about targets to plan attacks. Quote: ‘Gathering information about targets to plan attacks.’
  • [T1047] Execution – Brief description: Using a command-line interface to execute commands. Quote: ‘Using a command-line interface to execute commands.’
  • [T1218.011] Defense Evasion – Brief description: Bypassing security mechanisms to avoid detection. Quote: ‘Bypassing security mechanisms to avoid detection.’
  • [T1021.001] Lateral Movement – Brief description: Moving through a network to access additional systems. Quote: ‘Moving through a network to access additional systems.’
  • [T1589.001] Collection – Brief description: Gathering sensitive information from compromised systems. Quote: ‘Gathering sensitive information from compromised systems.’
  • [T1003.001] Credential Access – Brief description: Harvesting user credentials for unauthorized access. Quote: ‘Harvesting user credentials for unauthorized access.’
  • [T1071.001] Command and Control – Brief description: Establishing a communication channel with compromised systems. Quote: ‘Establishing a communication channel with compromised systems.’
  • [T1098.002] Initial Access – Brief description: Gaining initial access to target systems. Quote: ‘Gaining initial access to target systems.’
  • [T1065] Privilege Escalation – Brief description: Gaining higher-level permissions on a system. Quote: ‘Gaining higher-level permissions on a system.’
  • [T1566.002] Discovery – Brief description: Identifying system and network information. Quote: ‘Identifying system and network information.’

Indicators of Compromise

  • [Domain] Impersonation domains used in credential harvesting – The Washington Post domain, The Economist domain, and other similar fronts
  • [File name] Malware backdoors – NICECURL, TAMECAT, NokNok
  • [CVE] Recently exploited vulnerability – CVE-2023-38831

Read more: https://www.cyfirma.com/research/apt-profile-apt42/