APT42, a group linked to the Iranian government, is using social engineering tactics such as impersonating journalists and event organizers to trick NGOs, media, academia, legal firms, and activists into providing credentials to access their cloud environments.
They exfiltrate data of strategic interest while using built-in tools to evade detection.
APT42 also delivers custom NICECURL and TAMECAT backdoors via spear-phishing for initial access, which aligns with its mission to monitor foreign threats and domestic unrest.
APT42’s extensive credential harvesting operations involve tailored spear-phishing campaigns with elaborate social engineering, typically following a three-step process.
APT42 Hackers As Event Organizers
APT42 used three infrastructure clusters to steal credentials from government organizations, media outlets, NGOs, and activist groups.
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
- Real-time Detection
- Interactive Malware Analysis
- Easy to Learn by New Security Team members
- Get detailed reports with maximum data
- Set Up Virtual Machine in Linux & all Windows OS Versions
- Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
Each cluster used spear-phishing emails to harvest credentials, but the domains, impersonation themes, decoy documents, and other operational details changed slightly with each one.
APT42 continued their campaigns to steal credentials by taking data from legal and NGO-compromised cloud infrastructures of US and UK targets, which they sent back to Iran in 2022-23.
They secretly broke into Microsoft 365 environments through social engineering and skipping multi-factor authentication, using features already in the system as well as open-source tools so that nobody noticed what was going on.
Though researchers only know about people affected in America or Britain so far, this may indicate that more countries have been attacked, too, because APT42 gathers worldwide credentials.
Mandiant documented APT42 deploying custom NICECURL and TAMECAT backdoors delivered via spear-phishing with decoy content from spoofed organizations.
NICECURL, a VBScript backdoor, allows downloading additional modules, command execution and connects over HTTPS.
Samples impersonated Harvard’s public health school using the name Daniel Serwer (Middle East scholar) and the US think tank’s “Empowering Women for Peace” report to likely target NGOs, governments, and groups involved with Iran and Middle East matters consistent with APT42’s profile.
The backdoors enable initial access as potential malware deployment platforms.
While APT42’s methods for staying undetected challenge detection, TTPs that are shared, IOCs, and rules do this to help support mitigation.
According to the researchers, “It is a low footprint and low detection infrastructure.” However, several indicators, such as their use of certain tools or code names, pointed towards Mandiant eventually finding them out.
They have also been known to utilize shared code repositories, which gave them away on more than one occasion.
Also, despite all these factors, credential abuse remains one of the most common ways hackers exploit to gain initial cloud access.
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide