APT39

APT39 is an Iranian cyber espionage group that has been active since at least 2014. They have targeted the telecommunication and travel industries to collect personal information that aligns with Iran's national priorities. [1][2]

ID: G0087
Associated Groups: Chafer
Version: 2.1
Created: 19 February 2019
Last Modified: 29 May 2020

Associated Group Descriptions

Name Description
Chafer Activities associated with APT39 largely align with a group publicly referred to as Chafer.[1][2][5]

Techniques Used

Domain ID Name Use
Enterprise T1071 .004 Application Layer Protocol: DNS

APT39 has used remote access tools that leverage DNS in communications with C2.[4]

.001 Application Layer Protocol: Web Protocols

APT39 has used HTTP in communications with C2.[4]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

APT39 has used WinRAR and 7-Zip to compress an archive stolen data. [1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

APT39 has maintained persistence using the startup folder. [1]

.009 Boot or Logon Autostart Execution: Shortcut Modification

APT39 has modified LNK shortcuts. [1]

Enterprise T1110 Brute Force

APT39 has used Ncrack to reveal credentials.[1]

Enterprise T1115 Clipboard Data

APT39 has used tools capable of stealing contents of the clipboard.[3]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

APT39 utilized custom scripts to perform internal reconnaissance. [1]

.001 Command and Scripting Interpreter: PowerShell

APT39 has used PowerShell to execute malicious code.[4][3]

.006 Command and Scripting Interpreter: Python

APT39 has used a command line utility and a network scanner written in python.[4]

Enterprise T1136 .001 Create Account: Local Account

APT39 has created accounts on multiple compromised hosts to perform actions within the network.[4]

Enterprise T1555 Credentials from Password Stores

APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords.[4]

Enterprise T1005 Data from Local System

APT39 has used a tool to steal files from the compromised host.[3]

Enterprise T1190 Exploit Public-Facing Application

APT39 has used SQL injection for initial compromise.[3]

Enterprise T1105 Ingress Tool Transfer

APT39 has downloaded tools to compromised hosts.[3]

Enterprise T1056 .001 Input Capture: Keylogging

APT39 has used tools for capturing keystrokes.[3]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

APT39 has used a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe.[4]

Enterprise T1046 Network Service Scanning

APT39 has used CrackMapExec and a custom port scanner known as BLUETORCH for network scanning [1][4]

Enterprise T1135 Network Share Discovery

APT39 has used the post exploitation tool CrackMapExec to enumerate network shares.[4]

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

APT39 has packed tools with UPX, and has repacked a modified version of Mimikatz to thwart anti-virus detection.[1][4]

Enterprise T1003 OS Credential Dumping

APT39 has used different versions of Mimikatz to obtain credentials.[4]

.001 LSASS Memory

APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials. [1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT39 leveraged spearphishing emails with malicious attachments to initially compromise victims. [1][3]

.002 Phishing: Spearphishing Link

APT39 leveraged spearphishing emails with malicious links to initially compromise victims. [1]

Enterprise T1090 .001 Proxy: Internal Proxy

APT39 used custom tools to create SOCK5 and custom protocol proxies between infected hosts. [1][4]

.002 Proxy: External Proxy

APT39 has used various tools to proxy C2 communications.[4]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

APT39 has been seen using RDP for lateral movement and persistence, in some cases employing the rdpwinst tool for mangement of multiple sessions. [1][4]

.004 Remote Services: SSH

APT39 used secure shell (SSH) to move laterally among their targets. [1]

.002 Remote Services: SMB/Windows Admin Shares

APT39 has used SMB for lateral movement.[3]

Enterprise T1018 Remote System Discovery

APT39 has used nbtscan and custom tools to discover remote systems. [1][4][3]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

APT39 has created scheduled tasks for persistence. [1][4]

Enterprise T1113 Screen Capture

APT39 has used a screen capture utility to take screenshots on a compromised host.[3]

Enterprise T1505 .003 Server Software Component: Web Shell

APT39 has installed ANTAK and ASPXSPY web shells. [1]

Enterprise T1033 System Owner/User Discovery

APT39 used Remexi to collect usernames from the system. [2]

Enterprise T1569 .002 System Services: Service Execution

APT39 has used post-exploitation tools including RemCom and the Non-sucking Service Manager (NSSM) to execute processes.[4][3]

Enterprise T1204 .002 User Execution: Malicious File

APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious attachment. [1][4][3]

.001 User Execution: Malicious Link

APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious link. [1]

Enterprise T1078 Valid Accounts

APT39 has used stolen credentials to compromise Outlook Web Access (OWA). [1]

Enterprise T1102 .002 Web Service: Bidirectional Communication

APT39 has communicated with C2 through files uploaded to DropBox.[4]

Software

ID Name References Techniques
S0073 ASPXSpy

[1]

Server Software Component: Web Shell
S0454 Cadelspy

[2]

Application Window Discovery, Archive Collected Data, Audio Capture, Clipboard Data, Input Capture: Keylogging, Peripheral Device Discovery, Screen Capture, System Information Discovery
S0459 MechaFlounder

[7]

Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Exfiltration Over C2 Channel, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, System Owner/User Discovery
S0002 Mimikatz

[1][4][5][3]

Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0029 PsExec

[1][4][3]

Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0006 pwdump

[3]

OS Credential Dumping: Security Account Manager
S0375 Remexi

[2][6][3]

Application Layer Protocol: Web Protocols, Application Window Discovery, Archive Collected Data, Boot or Logon Autostart Execution: Winlogon Helper DLL, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Visual Basic, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, File and Directory Discovery, Input Capture: Keylogging, Obfuscated Files or Information, Scheduled Task/Job: Scheduled Task, Screen Capture, Windows Management Instrumentation
S0005 Windows Credential Editor

[1][5]

OS Credential Dumping: LSASS Memory

References