May 18, 2024
By Cybervergent Team

Honey-Tongued Hackers: The Cunning Tactics of APT42

When thefox cannot reach the grapes, he declares them sour - So too does the Iranian hackingcollective APT42 adapt its methods, as this state-sponsored group leveragesrefined social engineering to infiltrate its targets, their deception as sweetas the stolen data they covet.

The Hack:

The Iranianstate-backed hacking group APT42 is conducting advanced social engineeringschemes to infiltrate target networks and cloud environments.

The group is posing as journalists and eventorganizers to build trust with victims and deliver malicious content thatharvests credentials.

APT42 then uses the stolen credentials to gaininitial access to cloud environments and covertly exfiltrate data of strategicinterest to Iran.

 

TheTools:

APT42 utilizes two custom backdoors:

 1. NICECURL (aka BASICSTAR) - AVBScript-based backdoor that can download and execute additional modules,including data mining and arbitrary command execution.

 2. TAMECAT - A PowerShell toehold thatcan execute arbitrary PowerShell or C# content.

The group also relies on publicly availabletools and anonymized infrastructure to avoid detection.

TheProcess:

SocialEngineering Schemes:APT42 poses as trusted entities like journalists and event organizers to buildrapport with victims.

CredentialHarvesting: Themalicious content lures victims to fake login pages, enabling APT42 to stealtheir credentials, the group also utilizes techniques like cloned websites andMFA bypass to acquire the necessary access.

Hidden inPlain Sight: APT42relies on a combination of custom and publicly available tools to maintain alow profile, the group also employs VPNs, anonymized infrastructure, andtactics to blend in with normal user activity.

PersistentPresence: APT42establishes a foothold in the targeted environments using custom backdoors.These backdoors, such as NICECURL and TAMECAT, serve as a launchpad for furthermalware deployment and remote command execution.

TheTargets:

APT42 targets NGOs, media organizations,academia, legal services, and activists. It is primarily focused onintelligence collection and surveillance against individuals and organizationsof strategic interest to the Iranian government.

TheTakeaway:

APT42 demonstrates advanced social engineeringcapabilities to gain initial access and establish persistence within targetenvironments which makes it a formidable threat for network defenders.

Mitigations:

Implement robust credential management andmulti-factor authentication mechanisms to prevent initial access via stolencredentials.

Ensure all assets are regularly monitored forsuspicious login attempts and network activities that may indicate ongoingsocial engineering or credential harvesting campaigns.

Educate employees on social engineeringtactics and the importance of verifying the legitimacy of communication beforeengaging or providing sensitive information.

Maintain strong visibility and incidentresponse capabilities to quickly detect and respond to potential APT42intrusions.

Download Report Now