APT42 is a state-sponsored cyber espionage group in Iran. The gang, which has been active at least since 2015, is known for its highly targeted spear phishing and surveillance operations that target individuals and organizations in at least 14 countries.
Background:
Advanced Persistent Threat (APT) is an attack executed by a state-sponsored group of attackers or Cybercriminals with a specific intent to steal data or monitor activities on a specific set of servers in a target organization for an extended period of time. As they are working towards a specific goal, they will keep their presence down for a long time until the target is achieved. APT adversaries are focused and specialized heavily in evading the eyes of the security controls, which makes the detection of APTs hard.
APT42 is a state-sponsored cyber espionage group in Iran. The gang, which has been active at least since 2015, is known for its highly targeted spear phishing and surveillance operations that target individuals and organizations in at least 14 countries. Accessing the personal and business email accounts of government officials, former Iranian policymakers or political figures, members of the Iranian diaspora and opposition groups, journalists, and academics working on research on Iran are all part of the group’s operations, which are meant to develop relations and trust with their victims.
Since 2015, Mandiant has recorded over 30 verified APT42 targeted operations across these categories. Based on the group’s high operational tempo, visibility gaps brought on in part by the group’s targeting of personal email accounts, domestically focused efforts, and extensive open-source industry reporting on threat clusters probably associated with APT42, the total number of APT42 intrusion operations is almost certainly much higher.
Target:
Targeting strategies utilized by APT42 activities are similar to those used by other Iranian cyberspies, with a sizable portion of activity concentrated in the Middle East. APT42 primarily targets groups and people considered enemies of the state, explicitly acquiring access to their mobile devices and personal accounts. The group has repeatedly targeted Western organizations, academics, journalists, Western government officials in office now, former Iranian government officials, and Iranians living abroad. Since our first observation of its activity in 2015, APT42 has targeted organizations in at least 14 countries, including Australia, Europe, the Middle East, and the United States.
APT42 has focused on the following industries:
- Civil society and nonprofits
- Education
- Healthcare
- Manufacturing
- Governments
- Legal and professional services
- Pharmaceuticals
Operations:
APT42 operations broadly fall into three categories:
Credential Harvesting:
Through highly focused spearphishing tactics that place a stronger emphasis on developing rapport and trust with the target before attempting to steal their credentials, APT42 usually targets business and personal email accounts. APT42 has utilized compromised credentials to attempt access to the networks, devices, and accounts of employers, coworkers, and family, as well as credential harvesting, to gather Multi-Factor Authentication (MFA) codes to overcome authentication mechanisms.
Surveillance operations:
At least since late 2015, a portion of APT42’s infrastructure was used as command-and-control (C2) servers for Android mobile malware that was used to track the whereabouts of people of interest to the Iranian government, including activists and dissidents inside Iran, as well as to keep tabs on their communications and generally monitor their activities.
Malware deployment:
While APT42 typically prefers credential harvesting to disk-based activity, it also has access to a number of lightweight tools and unique backdoors. When the goals go beyond credential collecting, the gang probably uses these techniques in its activities.
Historical Connections:
APT42 generally corresponds to an activity referred to by other organizations such as TA453 (Proofpoint), Yellow Garuda (PwC), and ITG18 (IBM). The group also corresponds to two publicly reported threat clusters: Phosphorus (Microsoft) and Charming Kitten (ClearSky and CERTFA). The similarities in malicious cyber operations of various Iranian groups, as well as Iran’s dynamic institutional ecosystem, contributed to a significant conflation of historical APT42 and APT35 activity.
The historical APT35 operations were primarily long-term, resource-intensive operations that targeted the military, diplomatic, and government personnel of the United States and the Middle East, as well as businesses in the media, energy, and defense industries, as well as the engineering, business services, and telecommunications sectors. APT42 activities, in contrast, concentrate on people and groups that the Iranian government is interested in for reasons related to domestic politics, foreign policy, and regime stability.
Attack Cycle:
Initial Compromise:
Spear phishing is the primary method used by APT42 to carry out an initial compromise. The group is patient and inventive in their social engineering efforts, frequently interacting with their target for days or weeks to gain confidence before sending them a link to a page that collects credentials or adding a malicious attachment to their correspondence. APT42 can use credential harvesting forms to get around MFA, intercept SMS-based one-time passwords, and most likely send Android malware via SMS texts.
Establish Foothold:
Once a victim’s personal or business email account has been successfully validated, APT42 registers its own Microsoft Authenticator application as a new MFA method. APT42 uses a variety of mostly lightweight malware, some of which are based on publicly accessible scripts like CHAIRSMACK, BROKEYOLK, MAGICDROP, etc to infiltrate various environments.
Escalate Privileges:
APT42 performs privilege escalation in a victim environment using proprietary malware like DOSTEALER, GHAMBAR, and CHAIRSMACK that can collect keystrokes, steal logins, and steal cookie data for popular browsers.
Internal Reconnaissance:
APT42 undertakes internal reconnaissance by perusing the compromised user’s contacts and gaining access to the targeted company’s collaborative spaces, such as Sharepoint, after entering the target environment with the stolen credentials. APT42 also uses malware like POWERPOST which is capable of taking screenshots and collecting system and network information.
Lateral Movement:
APT42 frequently tries to gain access to the victim’s corporate accounts via the victim’s compromised personal email account in order to move laterally. From hacked email accounts, the group sends spearphishing emails to other targets inside and outside of the targeted company.
Maintain Persistence:
APT42 uses specialized malware with scheduled tasks or Windows registry updates for persistence to stay active in a victim’s environment, such as CHAIRSMACK and GHAMBAR. APT42 also employs a number of other strategies to keep a victim’s personal or business email account open, such as setting up their Microsoft Authenticator program to get MFA codes to their own devices.
Detection:
- Third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious link in an attempt to gain access to victim systems should be monitored.
- Changes to Windows registry keys or values that may target multi-factor authentication mechanisms, such as smart cards, to gain access to credentials that can be used to access systems, services, or network resources should be monitored.
- Monitor for contextual data about an account, such as a username, user ID, or environmental data, that may modify access tokens to perform actions and bypass access controls under a different user or system security context.
- Examine executed commands and arguments that may be used to achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.
Mitigation:
- Users can be trained to recognize social engineering techniques and spearphishing emails with malicious links, including phishing for OAuth 2.0 consent.
- Determine whether specific websites that can be used for spearphishing are required for business operations and consider blocking access if activity cannot be monitored effectively or poses a significant risk.
- Examine IT systems to ensure that UAC protection is set to the highest level possible, or, if this is not possible, implement other security measures. On sensitive systems, review which accounts are in the local administrator group on a regular basis and remove regular users who should not have administrative rights.