APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.[1][2][3][4][5]
Name | Description |
---|---|
ITG07 | |
Chafer |
Activities associated with APT39 largely align with a group publicly referred to as Chafer.[1][2][6][3][4][5] |
Remix Kitten |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
.004 | Application Layer Protocol: DNS |
APT39 has used remote access tools that leverage DNS in communications with C2.[8] |
||
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
APT39 has used WinRAR and 7-Zip to compress an archive stolen data.[1] |
Enterprise | T1197 | BITS Jobs |
APT39 has used the BITS protocol to exfiltrate stolen data from a compromised host.[3] |
|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
APT39 has maintained persistence using the startup folder.[1] |
.009 | Boot or Logon Autostart Execution: Shortcut Modification | |||
Enterprise | T1110 | Brute Force | ||
Enterprise | T1115 | Clipboard Data |
APT39 has used tools capable of stealing contents of the clipboard.[9] |
|
Enterprise | T1059 | Command and Scripting Interpreter |
APT39 has utilized custom scripts to perform internal reconnaissance.[1][3] |
|
.001 | PowerShell | |||
.005 | Visual Basic | |||
.006 | Python |
APT39 has used a command line utility and a network scanner written in python.[8][3] |
||
.010 | AutoHotKey & AutoIT |
APT39 has utilized AutoIt malware scripts embedded in Microsoft Office documents or malicious links.[3] |
||
Enterprise | T1136 | .001 | Create Account: Local Account |
APT39 has created accounts on multiple compromised hosts to perform actions within the network.[8] |
Enterprise | T1555 | Credentials from Password Stores |
APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords.[8] |
|
Enterprise | T1005 | Data from Local System |
APT39 has used various tools to steal files from the compromised host.[9][3] |
|
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
APT39 has utilized tools to aggregate data prior to exfiltration.[3] |
Enterprise | T1140 | Deobfuscate/Decode Files or Information | ||
Enterprise | T1546 | .010 | Event Triggered Execution: AppInit DLLs |
APT39 has used malware to set |
Enterprise | T1041 | Exfiltration Over C2 Channel |
APT39 has exfiltrated stolen victim data through C2 communications.[3] |
|
Enterprise | T1190 | Exploit Public-Facing Application | ||
Enterprise | T1083 | File and Directory Discovery |
APT39 has used tools with the ability to search for files on a compromised host.[3] |
|
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
APT39 has used malware to delete files after they are deployed on a compromised host.[3] |
Enterprise | T1105 | Ingress Tool Transfer | ||
Enterprise | T1056 | Input Capture | ||
.001 | Keylogging | |||
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
APT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe.[8][3] |
Enterprise | T1046 | Network Service Discovery |
APT39 has used CrackMapExec and a custom port scanner known as BLUETORCH for network scanning.[1][8] |
|
Enterprise | T1135 | Network Share Discovery |
APT39 has used the post exploitation tool CrackMapExec to enumerate network shares.[8] |
|
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
APT39 has packed tools with UPX, and has repacked a modified version of Mimikatz to thwart anti-virus detection.[1][8] |
.013 | Obfuscated Files or Information: Encrypted/Encoded File | |||
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
APT39 has modified and used customized versions of publicly-available tools like PLINK and Mimikatz.[8][10] |
Enterprise | T1003 | OS Credential Dumping |
APT39 has used different versions of Mimikatz to obtain credentials.[8] |
|
.001 | LSASS Memory |
APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials.[1] |
||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
APT39 leveraged spearphishing emails with malicious attachments to initially compromise victims.[1][9][3] |
.002 | Phishing: Spearphishing Link |
APT39 leveraged spearphishing emails with malicious links to initially compromise victims.[1][3] |
||
Enterprise | T1090 | .001 | Proxy: Internal Proxy |
APT39 used custom tools to create SOCK5 and custom protocol proxies between infected hosts.[1][8] |
.002 | Proxy: External Proxy | |||
Enterprise | T1012 | Query Registry |
APT39 has used various strains of malware to query the Registry.[3] |
|
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
APT39 has been seen using RDP for lateral movement and persistence, in some cases employing the rdpwinst tool for mangement of multiple sessions.[1][8] |
.002 | Remote Services: SMB/Windows Admin Shares | |||
.004 | Remote Services: SSH |
APT39 used secure shell (SSH) to move laterally among their targets.[1] |
||
Enterprise | T1018 | Remote System Discovery |
APT39 has used NBTscan and custom tools to discover remote systems.[1][8][9] |
|
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task | |
Enterprise | T1113 | Screen Capture |
APT39 has used a screen capture utility to take screenshots on a compromised host.[9][3] |
|
Enterprise | T1505 | .003 | Server Software Component: Web Shell | |
Enterprise | T1553 | .006 | Subvert Trust Controls: Code Signing Policy Modification |
APT39 has used malware to turn off the |
Enterprise | T1033 | System Owner/User Discovery | ||
Enterprise | T1569 | .002 | System Services: Service Execution |
APT39 has used post-exploitation tools including RemCom and the Non-sucking Service Manager (NSSM) to execute processes.[8][9] |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious link.[1][3] |
.002 | User Execution: Malicious File |
APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious attachment.[1][8][9][3] |
||
Enterprise | T1078 | Valid Accounts |
APT39 has used stolen credentials to compromise Outlook Web Access (OWA).[1] |
|
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
APT39 has communicated with C2 through files uploaded to and downloaded from DropBox.[8] |