Go to listing page

Iran's Cyber Espionage Operations: The Case of the APT42 Threat Group

Iran's Cyber Espionage Operations: The Case of the APT42 Threat Group

Share Blog Post

Origin: 2015

Alias: UNC788

Targeted Sectors: Education, Government, Healthcare, Legal Services, Manufacturing, Media, Entertainment, Pharmaceutical

Targeted Regions: Middle East, North America, Oceania, Western Europe, Eastern Europe

Motive: Espionage, Data Theft, Surveillance 

Malware Used: PowerPost, SilentUploader, TabbyCat, TameCat, VbrevShell, PineFlower, VineThorn, BrokeYolk, ChairSmack, Dostealer, Ghambar, Magicdrop

Introduction

Iran-based APT42 is a cyberespionage threat group that has been stealing information and performing surveillance operations since 2015. The group is believed to be working on behalf of the Islamic Revolutionary Guard Corps’ Intelligence Organization (IRGC-IO). Its operations are aimed against organizations and individuals that are of strategic interest to the Iranian regime. The assessment is based on targeting patterns aligning with the organization’s operational mandates and priorities that are similar to various other Iranian threat groups. APT42’s time of activities coincides with other publicly reported activity clusters from Iran, including Yellow Garuda (PwC), TA453 (Proofpoint), ITG18 (IBM X-Force), Charming Kitten (ClearSky and CERTFA), and Phosphorus (Microsoft).

Researchers have observed over 30 confirmed targets in 14 countries since early 2015. The targeted sectors include civil society and nonprofits, education, government, health care, legal and professional services, manufacturing, media and entertainment, and pharmaceutical. Looking at the group’s high operational tempo, visibility gaps in targeting personal email accounts, domestically-focused efforts, and wide range of open-source industry reporting on attack clusters believed to be linked with APT42, its official attack count is hard to swallow.

Attack Tactics and Methods 

The APT42 threat group often uses highly-targeted spear-phishing and social engineering techniques for building trust and close relationships with its victims in its endeavor for espionage. The group’s tactics and operations can be broadly understood in three steps:

Credential harvesting: Through spear-phishing campaigns, hackers compromise credentials for gaining access to the networks, devices, and accounts belonging to employers or colleagues of the prime victims. Further, it uses credential harvesting by leveraging tools such as TameCat, TabbyCat, and VbrevShell to gather MFA codes for bypassing authentication methods.

Surveillance operations: Since 2015, a part of APT42’s infrastructure has been used as C2 servers for Android mobile malware - VINETHORN and PINEFLOWER. Both malware can track device locations, monitor phone and email communications, and perform surveillance activities of persons of interest to the Iranian regime, such as dissidents and activists.

The group extensively used the PINEFLOWER Android malware to compromise dozens of Android devices believed to be related to individuals living in Iran between July 2020 and March 2021. Meanwhile, the VINETHORN payload was seen masquerading as a legitimate VPN app between April and October 2021. 

Malware and Tools

APT42 uses several custom backdoors and lightweight tools. Security analysts point out that most of the source code in its malware is copied from open-source code publicly available on GitHub. Once APT actors have successfully authenticated to a victim’s personal or corporate email account, to maintain persistence, the group registers its own Microsoft Authenticator app as a new MFA method. The group often uses lightweight malware, some of which are based on publicly available scripts, such as BROKEYOLK, CHAIRSMACK, GHAMBAR, MAGICDROP, POWERPOST, PINEFLOWER, TABBYCAT, TAMECAT, VBREVSHELL, and VINETHORN. 

For escalation of privileges, the group uses custom malware capable of logging keystrokes and
stealing logins and cookie data for common browsers in a victim environment, including CHAIRSMACK, DOSTEALER, and GHAMBAR. 

To maintain a presence in a victim’s environment, the group uses custom malware with scheduled tasks or Windows registry modifications, such as CHAIRSMACK and GHAMBAR. Further, the group utilizes GHAMBAR and POWERPOST malware that are capable of taking screenshots and gathering system and network details. The group has been observed using SilentUploader uploader (written in MSIL) that is dropped by DOSTEALER.

Attribution

Microsoft claimed a connection between APT42’s intrusion aligned with UNC2448 and APT35. All of them are believed to be working on behalf of IRGC. APT35 operations have been long-term and resource intensive, mostly targeting the U.S. and Middle Eastern military, diplomatic, and government personnel. Additionally, the group has been targeting organizations in the telecommunications, energy, media, business services, engineering, and defense industrial base. While APT35 targets different industries, APT42 focuses on entities for domestic politics, foreign policy, and regime stability purposes.

The group’s activity further aligns with other organizations referring to threat activity as ITG18 (IBM), TA453 (Proofpoint), and Yellow Garuda (PwC). The group is also consistent with a sub-section of the publicly reported threat cluster Charming Kitten (ClearSky/CERTFA). 

Attack Profile

With 30 successful attacks across over a dozen countries, the APT42 group’s main targets have been organizations and individuals identified as opponents or enemies of Iran. The operations have similar targeting as other Iranian espionage actors, with a large portion of activities focused on the Middle East. However, the group has also regularly targeted Western think tanks, journalists, researchers, current government officials, former Iranian government officials, and the Iranian diaspora.

Some APT42 actions suggest that the group keeps changing its operational focus as Iran’s priorities evolve. For instance, its targeted operations aimed at the pharmaceutical sector during the COVID-19 pandemic in March 2020. Moreover, it focused on domestic and foreign-based opposition groups before the presidential election of Iran. Such instances speak volume about the group being trusted (or backed) by the Iranian government to react to geopolitical changes by calibrating its operations as per the ongoing geopolitical situation.

Credential stealing attacks: In May 2017, the group targeted the senior leadership of an Iranian opposition group operating from Europe and North America by using spear-phishing emails pretending to be legitimate Google correspondence. The emails included links to fake Google Books pages redirecting to sign-in pages for stealing credentials and 2FA codes. In April 2018, the group targeted the Gmail account of an Iranian environmental activist using a fake login page. This targeted individual was arrested by the Iranian government in 2018, when the government had taken some strict actions against environmental activism in Iran. In October 2019, the group tried to steal the personal Gmail credentials of a newspaper editor and Iranian lecturer in Israel. In June 2020, the group sent a spear-phishing email to an employee of an NGO in the U.S. who had previously published on the situation of Iran’s civil society.

In February 2021, the group targeted the personal email credentials of a senior Israeli government official using a credential harvesting page disguised as a Gmail login page. Almost a year later, the group impersonated a genuine British news organization for stealing email credentials of professors having ties to local governments or relatives holding dual citizenship with Iran.

Surveillance attacks: In July 2021, threat actors hosted malicious web pages masked as an adult content website and a free audio/video calling and IM software. The landing pages profiled all the visitors, requesting them to enable location services, and the collected details were sent to a hard-coded Telegram chat. A landing page was seen supporting a smartphone format suitable to Arabic users, implying that Arabic speakers were also targeted. 
Most recently, the PINEFLOWER malware was used to target Iran-based individuals with connections to universities, reformist political groups, and human rights activists between June and August 2022.

Malware attacks: In September 2021, APT42  hacked a European government email account to send a phishing email to 150 recipients who were employed by civil society, government, or intergovernmental organizations worldwide. The email had used lure content related to the organizational chart of an embassy in Tehran and included a Google Drive link to a malicious macro document leading to a PowerShell toehold backdoor, identified as TAMECAT. 

In January and February 2022, APT42 hosted various malicious Office documents on AWS, Google Drive, and Dropbox. The documents used geopolitical themed decoy content in spear-phishing emails and downloaded a password-protected remote template document using OneDrive links. These documents led to the delivery of TABBYCAT (a VBA-based dropper) and VBREVSHELL (a reverse shell macro). The infrastructure used by threat actors in March 2022 was found hosting malicious PowerShell code in the banners of odd ports. The code, when executed, obtains additional PowerShell payloads including a custom reconnaissance tool (POWERPOST) that gathers data on a local host, such as system information and local account names.

Mitigation

The first step toward ensuring safety against APT42 attacks is to protect important information with adequate encryption, aligned with proper access control against espionage operations.   Government officials and employees must be provided with phishing-related training to identify spam emails and  respond to such threats with much ease. To stay safe against Android malware, users should avoid downloading apps from unknown or third-party sources and avoid clicking on suspicious links that come with SMS, emails, or messaging apps. Organizations should stay ahead in all key developments in the threat landscape, and their security teams must operationalize threat intelligence to proactively identify and mitigate the risks. Such a proactive security strategy helps in improving overall threat prediction and producing actionable insights for better security.

Conclusion

APT42 targets foreign  officials, commentators, and journalists located in the U.S. the U.K., and Israel, and working on Iran-related projects. Additionally, surveillance activity displays real-world risk to individuals, such as Iranian dual-nationals, former government officials, dissidents inside Iran, and those who fled the country for their safety.

Researchers expect no major changes to APT42’s operational tactics and target patterns based on a long history of activity. However, the group showed its ability to quickly change its focus as Iran’s priorities change over time with changing domestic and geopolitical situations. Thus, experts claim that there is a high probability that APT42 group will remain active with its espionage operations in near future with new or improved tools and techniques.

Indicators of Compromise


BROKEYOLK
MD5
da7d37bfb899a0094995944d4c5e2f21
df02a8a7cb2afb80cc2b789d96f02715

SHA1
9624d9613fe8cdc6833888b9e68892565e3a5d11
03d7ffd758e98c9a2c8c4716c93f09687000e22e

SHA256
b9b783ad3bc523a031cdf799dd9739a7bcbcf184e7e64a0f3cc2170be4d4526f
v7a650d3b1e511a05d0441484c7c7df59a63003ce77cd4eb7081323fd79d2b9a3

CHAIRSMACK
MD5
3d67ce57aab4f7f917cf87c724ed7dab
04a6997f0a8021b773ebb49977bc625f
34d37f64613f3fe00086ac8d5972db89
8e0eb3ceb1bbe736beaf64353dda1908
63cd07e805bcd4135a8e3a29fa3ceebd

SHA1
470b850363677d3d54629a92ac8b5143f4584a09
3b9a2e34f5d603b55cf7fd223d4e5c784b805242
66d36d0b170cf1a0001cca16357961a2f28cba60
08d2aea84d6c148ff2ad4653856fb080eb99abf2
2374f5a9278b209563e8193847a76c25c12eec8f

SHA256
a37a290863fe29b9812e819e4c5b047c44e7a7d7c40e33da6f5662e1957862ab
7eb564f0afc23cc8186e67f8c0d7e6c80215b75c9f0c4b35f558a9e35743ca41
003676e6240421426e5c0919eb40bdde52b383eb1c54596deb77218c3885cdc5
2c33b1dd793ad5e59180719d078301ee7ebb6cf7465286c19b042accca6ac749
a485ef522a00edc7eb141f4ef982dd52b3e784ea8d8f1bb0ca044a61ce642eac

DOSTEALER
MD5
0a3f454f94ef0f723ac6a4ad3f5bdf01
ae797446710e375f0fc9a33432d64256

SHA1
d08982960d71a101b87b1896fd841433b66c7262
29175a0015909186f69f827630ef3fe2c1c5302c

SHA256
6618051ea0c45d667c9d9594d676bc1f4adadd8cb30e0138489fee05ce91a9cb
734d9639fcfffef1a3c360269ccc1cda4f1d0e9dc857fa438f945e807b022c21

GHAMBAR
MD5
60e6523d29e8a9b83f4503f2e7fd7e1d
00b5d45433391146ce98cd70a91bef08

SHA1
6303907ec7d1d591efffe876720a0ab051bfd429
7649c554e87f6ea21ba86bb26ea39521d5d18151

SHA256
3cad59c65ee1e261658c2489dc45a7c6875d8ccb917d291d282e48bca1b74752
2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f

MAGICDROP
MD5
335849d8fb13a4a189ba92af9bdf5d1d
9d0e761f3803889dc83c180901dc7b22

SHA1
08270b049ae33f0bcd1d207ed77f999d51a09d94
ecf9b7283fda023fa37ad7fdb15be4eadded4e06

SHA256
971c5b5396ee37827635badea90d26d395b08d17cbe9e8027dc87b120f8bc0a2
d4375a22c0f3fb36ab788c0a9d6e0479bd19f48349f6e192b10d83047a74c9d7

PINEFLOWER
MD5
f3d25b1cedf39beee751eb9b2d8d2376
a04c2c3388da643ef67504ef8c6907fb

SHA1
dbb64b0202bb4da6796279b5fa88262a6e31787e
c760adecea4dbb4dd262cb3f3848f993d5007b2e

SHA256
90e5fa3f382c5b15a85484c17c15338a6c8dbc2b0ca4fb73c521892bd853f226
c2c1d804aeed1913f858df48bf89a58b1f9819d7276a70b50785cf91c9d34083

POWERPOST
MD5
96444ed552ea5588dffca6a5a05298e9
afb5760c05db35a34c5dc41108ba72c2
d30abec551b0fb512dc2c327eeca3c43

SHA1
b66ae149bbdfc7ec6875f59ec9f4a5ae1756f8ba
1504da49f6fe8638c7e39d4bcb547fbb15376462
8f2bc0d6adfb4cad43fdda9f3d732c859eb79e35

SHA256
9410963ede9702e7b74b4057fee952250ded09f85a4bb477d45a64f2352ec811
4bcc2ad5b577954a6bd23aff16566ce0784a71f9526a5ae849347ae766f4033f
21c5661eb5e54d537c6c9394d7bd4accf53e06851978a36c94b649c4f404a42e

SILENTUPLOADER
MD5
9dd30569aaf57d6115e1d181b78df6b5

SHA1
280b64c0156f101eaad3f31dbe91f0c1137627dc

SHA256
9f2bc9aebb3ee87cfbdef1716b5f67834db305cf400b41b278d5458800c5eeeb

TABBYCAT
MD5
bdf188b3d0939ec837987b4936b19570
651d72776c0394693c25b1e3c9ec55d0
b7bc6a853f160df2cc64371467ed866d

SHA1
aba938bf8dc5445df3d5b77a42db4d6643db4383
e45aeccb798f5cf6cb5d877821d1f4aa7f55cf6f
e3712e3d818e63060e30aec2a6db3598cbf0db92

SHA256
28de2ccff30a4f198670b66b6f9a0ce5f5f9b7f889c2f5e6a4e365dea1c89d53
c0d5043b57a96ec00debd3f24e09612bcbc38a7fb5255ff905411459e70a6bb4
a8c062846411d3fb8ceb0b2fe34389c4910a4887cd39552d30e6a03a02f4cc78

TAMECAT
MD5
88df70a0e21fb48e0f881fb91a2eaade
9a1e09b7ce904eefb83dc8d7571826f9
9bd1caf6b79f6a69981a15d649a04c19
3c6302fb6bdb953e2073a54b928fad9c

SHA1
e8f50ecea1a986b4f8b00836f7f00968a6ecba4f
448e6d519a340845a55b4b1809488427c0d79cdd
75b7db0597f234838e7c8431b57870411842775d
186f07279ac0f15cc7be5caf68addabb2091bc84

SHA256
c1664df788f690fd061994ed3eb9d767e2f293448ce9d7ff5bff37549e9e4dab
afd06652b24811d7e03d5525b292293dbdf49b8c0e450d748cab0289aecdbc02
5ee98a677f58b897df3287448e63a1a781d312d2a951f438e1d7e4ab658fa4a0
110c77f66a8d4d8ccc9dc468744302cf368efd071e3e4af39338b699f6bc7808

VBREVSHELL
MD5
bdf188b3d0939ec837987b4936b19570
651d72776c0394693c25b1e3c9ec55d0
b7bc6a853f160df2cc64371467ed866d

SHA1
aba938bf8dc5445df3d5b77a42db4d6643db4383
e45aeccb798f5cf6cb5d877821d1f4aa7f55cf6f
e3712e3d818e63060e30aec2a6db3598cbf0db92

SHA256
28de2ccff30a4f198670b66b6f9a0ce5f5f9b7f889c2f5e6a4e365dea1c89d53
c0d5043b57a96ec00debd3f24e09612bcbc38a7fb5255ff905411459e70a6bb4
a8c062846411d3fb8ceb0b2fe34389c4910a4887cd39552d30e6a03a02f4cc78

VINETTHORN
MD5
8a847b0f466b3174741aac734989aa73

SHA1
03eadb4ab93a1a0232cb40b7d2ef179a1cd0174d

SHA256
5d3ff202f20af915863eee45916412a271bae1ea3a0e20988309c16723ce4da5

 Tags

chairsmack
powerpost
irgc
tabbycat
apt42
dostealer
ghambar
pineflower
covid 19 pandemic
apt35

Posted on: October 12, 2022


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.