Self Assessment

APT PROFILE – APT42

Published On : 2024-08-13
Share :
APT PROFILE – APT42

APT42 is an Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government. We estimate with moderate confidence that APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization (IRGC-IO) based on targeting patterns that align with the organization’s operational mandates and priorities.

Active since at least 2015, APT42 is characterized by highly targeted spear phishing and surveillance operations against individuals and organizations of strategic interest to Iran. The group’s operations, which are designed to build trust and rapport with their victims, have included accessing the personal and corporate email accounts of government officials, former Iranian policymakers or political figures, members of the Iranian diaspora and opposition groups, journalists, and academics who are involved in research on Iran. After gaining access, the group deployed mobile malware capable of tracking victim locations, recording phone conversations, accessing videos and images, and extracting entire SMS inboxes. APT42 has demonstrated the ability to alter its operational focus as Iran’s priorities evolve over time. We anticipate APT42 will continue to conduct cyber espionage operations in support of Iran’s strategic priorities in the long term based on its extensive operational history and imperviousness to public reporting and infrastructure takedowns.

Alias: APT42 Alias Mint Sandstorm, TA453, Yellow Garuda
Motivation: Espionage

Targeted Countries

USA, Canada, United Kingdom, Germany, France, Middle East, Australia

APT42 Campaigns Tracked by CYFIRMA

Malware used by APT 42
NICECURL,TAMECAT,NokNok

Tools used by APT42:
CHAIRSMACK, GHAMBAR, POWERPOST, BROKEYOLK, MAGICDROP, PINEFLOWER, TABBYCAT, TAMECAT, VBREVSHELL, VINETHORN, DOSTEALER

MITRE ATT&CK Techniques used by APT 42

Reconnaissance Execution Defense Evasion Lateral Movement
T1595.002 T1047 T1218.011 T1021.001
T1589.001 T1053.005 T1027
T1598.003 T1059.003 T1562.001 Collection
T1589.002 T1059.001 T1036.005 T1114
T1589 T1204.001 T1112 T1005
Resource Development T1204.002 T1562 T1113
T1585.002 T1059.005 T1564.003 T1114.002
T1583.006 T1070.004 T1114.001
T1588.002 Persistence T1562.004 T1560.001
T1584.001 T1505.003 T1070.003 T1056.001
T1583.001 T1053.005
T1586.002 T1136.001 Credential Access Command and Control
T1585.001 T1547.001 T1003.001 T1071.001
Initial Access T1098.002 T1056.001 T1571
T1566.003 T1102.002
T1189 Privilege Escalation Discovery T1065
T1566.002 T1053.005 T1016 T1071
T1190 T1547.001 T1049 T1105
T1057
T1087.003
T1033
T1082
T1083
Recently Exploited Vulnerabilities by APT 42 CVE-2023-38831

APT 42’s Recent Campaign Highlights and Trends

  • In a recent campaign, threat actors from APT42 targeted organizations in Western and Middle Eastern countries through social engineering attacks. They impersonated journalists to gain the trust of their targets and infiltrated corporate networks and cloud environments. The attackers used malicious emails to deliver two custom backdoors, named Nicecurl and Tamecat, which allowed them to execute commands and steal sensitive data from the compromised systems.
  • In recent campaigns, APT42 has predominantly focused on targeting entities that oppose Iran, including government and political bodies, media and journalism outlets, healthcare organizations, academic institutions, and non-governmental organizations (NGOs).
  • APT42’s activities are not limited to direct cyber-attacks. The group also conducts extensive credential harvesting operations, intricately designed to appear as legitimate interactions. These operations are carried out through carefully crafted spear-phishing campaigns that often impersonate well-known news outlets or NGOs. For example, domains masquerading as major publications like The Washington Post and The Economist have been used to disseminate malicious links that redirect users to fake login pages, effectively stealing their credentials.
  • Given APT42’s historical resilience and adaptability, it is expected that they will continue their cyber espionage operations in support of Iran’s strategic objectives, particularly as geopolitical dynamics evolve.