The Iranian state-backed hacking outfit, APT42, is employing sophisticated social engineering tactics to breach target networks and cloud environments.
The targets include Western and Middle Eastern NGOs, media organizations, academia, legal services, and activists, as reported by Google Cloud subsidiary Mandiant.
“APT42 was seen pretending to be journalists and event organizers to establish trust with their victims through ongoing communication and to send invitations to conferences or legitimate documents,” the company stated.
“These social engineering tactics allowed APT42 to gather credentials and use them to gain initial entry into cloud environments. Subsequently, the threat actor discreetly extracted data of strategic importance to Iran, while leveraging built-in features and open-source tools to evade detection.”
First identified by Mandiant in September 2022, APT42 (also known as Damselfly and UNC788) is a state-sponsored cyber espionage group from Iran tasked with conducting information gathering and surveillance operations against individuals and organizations of strategic importance to the Iranian government.
It’s believed to be a subset of another well-known threat group referred to as APT35, also known by multiple aliases such as CALANQUE, CharmingCypress, Charming Kitten, ITG18, Mint Sandstorm (formerly Phosphorus), Newscaster, TA453, and Yellow Garuda.
Both groups are linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) but operate with distinct objectives.
While Charming Kitten concentrates on long-term, malware-intensive operations targeting organizations and companies in the U.S. and Middle East to steal data, APT42 focuses on specific individuals and organizations of interest to the Iranian regime for domestic politics, foreign policy, and regime stability.
In January, Microsoft attributed phishing campaigns targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the U.K., and the U.S. to the Charming Kitten actor.
APT42’s attacks typically involve extensive credential harvesting operations to obtain Microsoft, Yahoo, and Google credentials through spear-phishing emails containing malicious links leading to fake login pages.
In these campaigns, the adversary uses domains mimicking the original entities and poses as news outlets, legitimate services like Dropbox, Google Meet, LinkedIn, and YouTube, as well as mailer daemons and URL shortening tools.
The credential theft activities are accompanied by data exfiltration efforts targeting victims’ public cloud infrastructure to acquire documents of interest to Iran after gaining their trust – an area in which Charming Kitten excels.
| Known malware families associated with APT42 |
“The operations begin with advanced social engineering tactics to gain initial network access, often involving ongoing trust-building communication with the victim,” explained Mandiant.
“Subsequently, the necessary credentials are obtained, and multi-factor authentication (MFA) is bypassed by providing a cloned website to capture the MFA token (which failed) and later by sending MFA push notifications to the victim (which succeeded).”
To conceal its activities and blend in, the adversary utilizes publicly available tools, exfiltrates files to a OneDrive account posing as the victim’s organization, and uses VPN and anonymized infrastructure to interact with the compromised environment.
APT42 also employs two custom backdoors that serve as a pivot point to deploy additional malware or execute commands on the device:
- NICECURL (aka BASICSTAR) – A VBScript backdoor capable of downloading additional modules for execution, including data mining and arbitrary command execution
- TAMECAT – A PowerShell backdoor for executing arbitrary PowerShell or C# content
Notably, Volexity dissected NICECURL in February 2024 in connection with a series of cyber attacks aimed at Middle East policy experts.
“APT42 has maintained a focus on intelligence gathering and targets a similar victim pool, even amidst the Israel-Hamas conflict that has prompted other Iranian-linked actors to engage in disruptive and destructive activities,” Mandiant concluded.
“The tactics used by APT42 leave a limited footprint, making detection and mitigation of their activities more challenging for network defenders.”
