Iranian APT42 Launched Over 30 Espionage Attacks Against Activists and Dissidents

A state-sponsored advanced persistent threat (APT) actor newly
christened APT42 (formerly UNC788) has been attributed to over 30
confirmed espionage attacks against individuals and organizations
of strategic interest to the Iranian government at least since
2015.

Cybersecurity firm Mandiant said the group operates as the
intelligence gathering arm of Iran’s Islamic Revolutionary Guard
Corps (IRGC), not to mention shares partial overlaps with another
cluster called APT35^[1], which is also known as
Charming Kitten, Cobalt Illusion, ITG18, Phosphorus, TA453, and
Yellow Garuda.

APT42 has exhibited a propensity to strike various industries
such as non-profits, education, governments, healthcare, legal,
manufacturing, media, and pharmaceuticals spanning at least 14
countries, including in Australia, Europe, the Middle East, and the
U.S.

Intrusions aimed at the pharmaceutical sector are also notable
for the fact that they commenced at the onset of the COVID-19
pandemic in March 2020, indicating the threat actor’s ability to
swiftly modify its campaigns in order to meet its operational
priorities.

“APT42 uses highly targeted spear-phishing and social
engineering techniques designed to build trust and rapport with
their victims in order to access their personal or corporate email
accounts or to install Android malware on their mobile devices,”
Mandiant said^[2]
in a report.

The goal is to exploit the fraudulent trust relationships to
steal credentials, enabling the threat actor to leverage the access
to conduct follow-on compromises of corporate networks to gather
sensitive data and use the breached accounts to phish additional
victims.

Attack chains involve a mix of highly targeted spear-phishing
messages aimed at individuals and organizations of strategic
interest to Iran. They are also conceived with the intent to build
trust with former government officials, journalists, policymakers,
and the Iranian diaspora abroad in hopes of distributing
malware.

Outside of using hacked email accounts associated with think
tanks to target researchers and other academic organizations, APT42
is often known to impersonate journalists and other professionals
to engage with the victims for several days or even weeks before
sending a malicious link.

In one attack observed in May 2017, the group targeted members
of an Iranian opposition group operating from Europe and North
America with email messages that contained links to rogue Google
Books pages, which redirected victims to sign-in pages designed to
siphon credentials and two-factor authentication codes.

Surveillance operations involve the distribution of Android
malware such as VINETHORN and PINEFLOWER via text messages that are
capable of recording audio and phone calls, extracting multimedia
content and SMSes, and tracking geolocations. A VINETHORN payload
spotted between April and October 2021 masqueraded as a VPN app
called SaferVPN.

“The use of Android malware to target individuals of interest to
the Iranian government provides APT42 with a productive method of
obtaining sensitive information on targets, including movement,
contacts, and personal information,” the researchers noted.

The group is also said to use a raft of lightweight Windows
malware from time to time – a PowerShell toehold backdoor named
TAMECAT, a VBA-based macro dropper dubbed TABBYCAT, and a reverse
shell macro known as VBREVSHELL – to augment their credential
harvesting and espionage activities.

APT42’s links to APT35 stems from links to an uncategorized
threat cluster tracked as UNC2448, which Microsoft (DEV-0270^[3]) and Secureworks
(Cobalt Mirage^[4]) disclosed as a
Phosphorus subgroup carrying out ransomware attacks for financial
gain using BitLocker.

Mandiant’s analysis further lends credence to Microsoft’s
findings that DEV-0270/UNC2448 is operated by a front company that
uses two public aliases, namely Secnerd and Lifeweb, both of which
are connected to Najee Technology Hooshmand.

That having said, it’s suspected the two adversarial
collectives, despite their affiliation with IRGC, originate from
disparate missions based on differences in targeting patterns and
the tactics employed.

A key point of distinction is that while APT35 is oriented
towards long-term, resource-intensive operations targeting
different industry verticals in the U.S. and the Middle East,
APT42’s activities focus on individuals and entities for “domestic
politics, foreign policy, and regime stability purposes.”

“The group has displayed its ability to rapidly alter its
operational focus as Iran’s priorities change over time with
evolving domestic and geopolitical conditions,” the researchers
said.