Hackers belonging to Iran’s Islamic Revolutionary Guard Corps Intelligence Organization (IRCG-IO), codenamed APT42, have been observed using realistic, but ultimately fictitious, online personas and typo-squatted domains to backdoor Western and Middle Eastern non-government organizations, media outlets, educational institutes, activists, and legal services.
The attacks typically start with an email to the target from an APT42 persona appearing to be a journalist, NGO employee, or event organizer sent from a typo-squatted domain that appears to belong to the organization with which the persona claims affiliation.
Identify, measure, and reduce your risk with a personalized attack surface report.
Our automated attack surface reports detect end-of-life software and operating systems, exposed devices and services, third-party risks & more.
Try it free
After several emails have been exchanged and trust has built up with the target, APT42 sends a link to a document relevant to the conversation which directs the recipient to a fake login page that mimics popular online services (e.g. Google, Microsoft, Dropbox, etc.) and other specific platforms related to the target’s work.
Once the victim inputs their password and multi-factor authentication (MFA) code, both are sent to the threat actor who uses them to log in to the victim’s account. To help disguise its actions and make attribution more difficult, APT42 clears its document access history and only communicates with targets via VPN nodes and Cloudflare-hosted domains.
Image 1: Online persona used by APT42
In addition to accessing victim accounts via stolen credentials, APT42 has also been observed deploying two custom backdoors, dubbed Nicecurl and Tamecat, as attachments to spear phishing emails.
Nicecurl, a VBScript-based backdoor, is designed to perform command execution, download and execute additional payloads, and perform data mining on the infected host.
Tamecat, a more complex backdoor written in PowerShell, can execute PowerShell code or C# scripts to perform data theft and system manipulation, dynamically update its configuration, and assess its environment before executing to evade anti-virus programs and other security controls.
Both backdoors are embedded into documents attached to phishing emails that require the user to allow macros permissions for the backdoor to execute. The trust that APT42 has built with the victim through previous interactions is often enough for the victim to ignore any security warnings and manually provide permission when prompted.
Source: Bleeping Computer
Analysis
The use of realistic, long-standing (i.e. created in 2013) personas to interact with targets before compromising them with custom, espionage-focused backdoors is the hallmark of a sophisticated state-sponsored actor. These campaigns require considerable planning and organization, and must be carried out by patient hackers skilled in foreign languages and deception.
The discovery and disclosure of its personas and the backdoors will likely force APT42 to temporarily pause or slow down its campaign while it develops new tactics, techniques, and procedures (TTPs). However, given the tension between Iran and the United States, and the ongoing conflicts in the Middle East, it’s highly likely that campaigns such as this will at the very least resume, if not accelerate.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitors the cyber threat landscape for threats from advanced cyber actors such as APT42. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these groups pose.
Field Effect MDR users are automatically notified when various malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect MDR Portal.
Related Articles