A new state-sponsored Advanced Persistent Threat (APT) agent dubbed APT42 (formerly UNC788) has been reported to have carried out more than 30 confirmed espionage attacks against individuals. individuals and organizations of strategic interest to the Iranian government at least since 2015.
Company network security Mandiant said the group operates as the intelligence-gathering arm of Iran’s Islamic Revolutionary Guard Corps (IRGC), not to mention sharing overlaps with another group called APT35. , also known as Charming Kitten, Cobalt Illusion, ITG18, Phosphorus, TA453, and Golden Garuda.
APT42 has demonstrated a tendency to attack various industries such as non-profit, education, government, healthcare, legal, manufacturing, media, and pharmaceuticals in at least 14 countries, including in Australia, Europe, the Middle East and the United States.
Intrusions targeting the pharmaceutical sector are also notable because they began with the outbreak of the COVID-19 pandemic in March 2020, demonstrating the threat’s ability to rapidly modify its campaigns. to meet its operational priorities.
“APT42 uses highly targeted social engineering and online phishing techniques designed to build trust and relationship with victims to gain access to accounts,” Mandiant said in a report. their personal or corporate email or settings software malicious Android on their mobile devices,” Mandiant said in a report.
The goal is to exploit fraudulent trust relationships to steal credentials, allowing a threat actor to leverage access to make further compromises of the corporate network to collect sensitive data. and use the breached accounts to defraud more victims.
Attack chains involve a combination of highly targeted phishing messages targeting individuals and organizations with strategic interests to Iran. They are also formed with the aim of building trust with former government officials, journalists, policy makers and the Iranian diaspora in the hope of spreading the word. malware.
In addition to using hacked email accounts affiliated with research groups to target researchers and other academic institutions, APT42 is commonly known to impersonate journalists and other professionals to interact with the victim for days or even weeks before sending a malicious link.
In an attack observed in May 2017, the group targeted members of an Iranian opposition group operating from Europe and North America with emails containing links to fake Google Books pages. , which redirects victims to login pages designed to obtain credentials and two-factor authentication codes.
Surveillance activity related to the distribution of Android malware such as VINETHORN and PINEFLOWER via text messages with the ability to record phone calls and audio, extract multimedia and SMS content, and track geographical location tracking. The VINETHORN payload detected between April and October 2021 masqueraded as a VPN app called SaferVPN.
The use of Android malware to target individuals of interest to the Iranian government provides APT42 with an effective method to gather sensitive information about targets, the researchers note. including movement, contacts, and personal information,” the researchers noted.
The group is also believed to be using a range of lightweight malware on Windows — a PowerShell backdoor called TAMECAT, a VBA-based drip macro called TABBYCAT, and a reverse shell macro called VBREVSHELL — to increase strengthen their credential gathering and espionage activities.
APT42’s associations with APT35 originate from links to an unclassified threat cluster tracked as UNC2448, which Microsoft (DEV-0270) and Secureworks (Cobalt Mirage) have revealed to be a subgroup of Phosphorus performs ransomware attacks for financial gain using BitLocker.
Mandiant’s analysis adds credence to Microsoft’s findings that DEV-0270/UNC2448 is operated by a front company that uses two public aliases, Secnerd and Lifeweb, both of which are connected to Najee Technology Hooshmand.
That said, the two rival collectives, despite their links to the IRGC, are suspected of having different missions based on differences in targeting patterns and tactics used. .
The key difference is that while APT35 is geared towards long-term, resource-intensive operations targeting various verticals in the US and the Middle East, APT42’s activities are focused on individuals and organizations. for “domestic politics, foreign policy, and stability of the target regime.”
The group has demonstrated the ability to rapidly shift its focus of operations as Iran’s priorities change over time with evolving geopolitical and domestic conditions, the researchers said. “.