November 21, 2024
APT42 Hackers Pose as Journalists to Harvest Credentials and Access Cloud Data
The Iranian state-backed hacking outfit called APT42 is making use of enhanced social engineering schemes to infiltrate target networks and cloud environments. Targets of the attack include Western and Middle Eastern NGOs, media organizations, academia, legal services and activists, Google Cloud subsidiary Mandiant said in a report published last week. "APT42 was

The Iranian state-backed hacking outfit called APT42 is making use of enhanced social engineering schemes to infiltrate target networks and cloud environments.

Targets of the attack include Western and Middle Eastern NGOs, media organizations, academia, legal services and activists, Google Cloud subsidiary Mandiant said in a report published last week.

“APT42 was observed posing as journalists and event organizers to build trust with their victims through ongoing correspondence, and to deliver invitations to conferences or legitimate documents,” the company said.

“These social engineering schemes enabled APT42 to harvest credentials and use them to gain initial access to cloud environments. Subsequently, the threat actor covertly exfiltrated data of strategic interest to Iran, while relying on built-in features and open-source tools to avoid detection.”

APT42 (aka Damselfly and UNC788), first documented by the company in September 2022, is an Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government.

It’s assessed to be a subset of another infamous threat group tracked as APT35, which is also known by various names CALANQUE, CharmingCypress, Charming Kitten, ITG18, Mint Sandstorm (formerly Phosphorus), Newscaster, TA453, and Yellow Garuda.

Both the groups are affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), but operate with a different set of goals.

While Charming Kitten focuses more on long-term, malware-intensive operations targeting organizations and companies in the U.S. and Middle East to steal data. APT42, in contrast, targets specific individuals and organizations that the regime has its eye on for the purpose of domestic politics, foreign policy, and regime stability.

Earlier this January, Microsoft attributed the Charming Kitten actor to phishing campaigns targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the U.K., and the U.S. since November 2023.

Attacks mounted by the group are known to involve extensive credential harvesting operations to gather Microsoft, Yahoo, and Google Credentials via spear-phishing emails containing malicious links to lure documents that redirect the recipients to a fake login page.

In these campaigns, the adversary has been observed sending emails from domains typosquatting the original entities and masquerading as news outlets; legitimate services like Dropbox, Google Meet, LinkedIn, and YouTube; and mailer daemons and URL shortening tools.

The credential-grabbing attacks are complemented by data exfiltration activities targeting the victims’ public cloud infrastructure to get hold of documents that are of interest to Iran, but only after gaining their trust – something Charming Kitten is well-versed at.

Known malware families associated with APT42

“These operations began with enhanced social engineering schemes to gain the initial access to victim networks, often involving ongoing trust-building correspondence with the victim,” Mandiant said.

“Only then the desired credentials are acquired and multi-factor authentication (MFA) is bypassed, by serving a cloned website to capture the MFA token (which failed) and later by sending MFA push notifications to the victim (which succeeded).”

In an effort to cover up its tracks and blend in, the adversary has been found relying on publicly available tools, exfiltrating files to a OneDrive account masquerading as the victim’s organization, and employing VPN and anonymized infrastructure to interact with the compromised environment.

Also used by APT42 are two custom backdoors that act as a jumping point to deploy additional malware or to manually execute commands on the device –

  • NICECURL (aka BASICSTAR) – A backdoor written in VBScript that can download additional modules to be executed, including data mining and arbitrary command execution
  • TAMECAT – A PowerShell toehold that can execute arbitrary PowerShell or C# content

It’s worth noting that NICECURL was previously dissected by cybersecurity company Volexity in February 2024 in connection with a series of cyber attacks aimed at Middle East policy experts.

“APT42 has remained relatively focused on intelligence collection and targeting similar victimology, despite the Israel-Hamas war that has led other Iran-nexus actors to adapt by conducting disruptive, destructive, and hack-and-leak activities,” Mandiant concluded.

“The methods deployed by APT42 leave a minimal footprint and might make the detection and mitigation of their activities more challenging for network defenders.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.