APT39

APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.[1][2][3][4][5]

ID: G0087
Associated Groups: ITG07, Chafer, Remix Kitten
Version: 3.1
Created: 19 February 2019
Last Modified: 02 September 2022

Associated Group Descriptions

Name Description
ITG07

[3][4][5]

Chafer

Activities associated with APT39 largely align with a group publicly referred to as Chafer.[1][2][6][3][4][5]

Remix Kitten

[7]

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

APT39 has used HTTP in communications with C2.[8][3]

.004 Application Layer Protocol: DNS

APT39 has used remote access tools that leverage DNS in communications with C2.[8]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

APT39 has used WinRAR and 7-Zip to compress an archive stolen data.[1]

Enterprise T1197 BITS Jobs

APT39 has used the BITS protocol to exfiltrate stolen data from a compromised host.[3]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

APT39 has maintained persistence using the startup folder.[1]

.009 Boot or Logon Autostart Execution: Shortcut Modification

APT39 has modified LNK shortcuts.[1]

Enterprise T1110 Brute Force

APT39 has used Ncrack to reveal credentials.[1]

Enterprise T1115 Clipboard Data

APT39 has used tools capable of stealing contents of the clipboard.[9]

Enterprise T1059 Command and Scripting Interpreter

APT39 has utilized AutoIt and custom scripts to perform internal reconnaissance.[1][3]

.001 PowerShell

APT39 has used PowerShell to execute malicious code.[8][9]

.005 Visual Basic

APT39 has utilized malicious VBS scripts in malware.[3]

.006 Python

APT39 has used a command line utility and a network scanner written in python.[8][3]

Enterprise T1136 .001 Create Account: Local Account

APT39 has created accounts on multiple compromised hosts to perform actions within the network.[8]

Enterprise T1555 Credentials from Password Stores

APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords.[8]

Enterprise T1005 Data from Local System

APT39 has used various tools to steal files from the compromised host.[9][3]

Enterprise T1074 .001 Data Staged: Local Data Staging

APT39 has utilized tools to aggregate data prior to exfiltration.[3]

Enterprise T1140 Deobfuscate/Decode Files or Information

APT39 has used malware to decrypt encrypted CAB files.[3]

Enterprise T1546 .010 Event Triggered Execution: AppInit DLLs

APT39 has used malware to set LoadAppInit_DLLs in the Registry key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows in order to establish persistence.[3]

Enterprise T1041 Exfiltration Over C2 Channel

APT39 has exfiltrated stolen victim data through C2 communications.[3]

Enterprise T1190 Exploit Public-Facing Application

APT39 has used SQL injection for initial compromise.[9]

Enterprise T1083 File and Directory Discovery

APT39 has used tools with the ability to search for files on a compromised host.[3]

Enterprise T1070 .004 Indicator Removal: File Deletion

APT39 has used malware to delete files after they are deployed on a compromised host.[3]

Enterprise T1105 Ingress Tool Transfer

APT39 has downloaded tools to compromised hosts.[9][3]

Enterprise T1056 Input Capture

APT39 has utilized tools to capture mouse movements.[3]

.001 Keylogging

APT39 has used tools for capturing keystrokes.[9][3]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

APT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe.[8][3]

Enterprise T1046 Network Service Discovery

APT39 has used CrackMapExec and a custom port scanner known as BLUETORCH for network scanning.[1][8]

Enterprise T1135 Network Share Discovery

APT39 has used the post exploitation tool CrackMapExec to enumerate network shares.[8]

Enterprise T1027 Obfuscated Files or Information

APT39 has used malware to drop encrypted CAB files.[3]

.002 Software Packing

APT39 has packed tools with UPX, and has repacked a modified version of Mimikatz to thwart anti-virus detection.[1][8]

Enterprise T1588 .002 Obtain Capabilities: Tool

APT39 has modified and used customized versions of publicly-available tools like PLINK and Mimikatz.[8][10]

Enterprise T1003 OS Credential Dumping

APT39 has used different versions of Mimikatz to obtain credentials.[8]

.001 LSASS Memory

APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT39 leveraged spearphishing emails with malicious attachments to initially compromise victims.[1][9][3]

.002 Phishing: Spearphishing Link

APT39 leveraged spearphishing emails with malicious links to initially compromise victims.[1][3]

Enterprise T1090 .001 Proxy: Internal Proxy

APT39 used custom tools to create SOCK5 and custom protocol proxies between infected hosts.[1][8]

.002 Proxy: External Proxy

APT39 has used various tools to proxy C2 communications.[8]

Enterprise T1012 Query Registry

APT39 has used various strains of malware to query the Registry.[3]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

APT39 has been seen using RDP for lateral movement and persistence, in some cases employing the rdpwinst tool for mangement of multiple sessions.[1][8]

.002 Remote Services: SMB/Windows Admin Shares

APT39 has used SMB for lateral movement.[9]

.004 Remote Services: SSH

APT39 used secure shell (SSH) to move laterally among their targets.[1]

Enterprise T1018 Remote System Discovery

APT39 has used NBTscan and custom tools to discover remote systems.[1][8][9]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

APT39 has created scheduled tasks for persistence.[1][8][3]

Enterprise T1113 Screen Capture

APT39 has used a screen capture utility to take screenshots on a compromised host.[9][3]

Enterprise T1505 .003 Server Software Component: Web Shell

APT39 has installed ANTAK and ASPXSPY web shells.[1]

Enterprise T1553 .006 Subvert Trust Controls: Code Signing Policy Modification

APT39 has used malware to turn off the RequireSigned feature which ensures only signed DLLs can be run on Windows.[3]

Enterprise T1033 System Owner/User Discovery

APT39 used Remexi to collect usernames from the system.[2]

Enterprise T1569 .002 System Services: Service Execution

APT39 has used post-exploitation tools including RemCom and the Non-sucking Service Manager (NSSM) to execute processes.[8][9]

Enterprise T1204 .001 User Execution: Malicious Link

APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious link.[1][3]

.002 User Execution: Malicious File

APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious attachment.[1][8][9][3]

Enterprise T1078 Valid Accounts

APT39 has used stolen credentials to compromise Outlook Web Access (OWA).[1]

Enterprise T1102 .002 Web Service: Bidirectional Communication

APT39 has communicated with C2 through files uploaded to and downloaded from DropBox.[8]

Software

ID Name References Techniques
S0073 ASPXSpy [1] Server Software Component: Web Shell
S0454 Cadelspy [2] Application Window Discovery, Archive Collected Data, Audio Capture, Clipboard Data, Input Capture: Keylogging, Peripheral Device Discovery, Screen Capture, System Information Discovery
S0488 CrackMapExec [1][8] Account Discovery: Domain Account, Brute Force: Password Spraying, Brute Force: Password Guessing, Brute Force, Command and Scripting Interpreter: PowerShell, File and Directory Discovery, Modify Registry, Network Share Discovery, OS Credential Dumping: Security Account Manager, OS Credential Dumping: NTDS, OS Credential Dumping: LSA Secrets, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, Scheduled Task/Job: At, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Use Alternate Authentication Material: Pass the Hash, Windows Management Instrumentation
S0095 ftp [3] Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, Lateral Tool Transfer
S0459 MechaFlounder [11] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Python, Data Encoding: Standard Encoding, Exfiltration Over C2 Channel, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, System Owner/User Discovery
S0002 Mimikatz [1][8][6][9] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0590 NBTscan [1] Network Service Discovery, Network Sniffing, Remote System Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0029 PsExec [1][8][9] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0006 pwdump [9] OS Credential Dumping: Security Account Manager
S0375 Remexi [2][12][9] Application Layer Protocol: Web Protocols, Application Window Discovery, Archive Collected Data, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Winlogon Helper DLL, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Visual Basic, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, File and Directory Discovery, Input Capture: Keylogging, Obfuscated Files or Information, Scheduled Task/Job: Scheduled Task, Screen Capture, Windows Management Instrumentation
S0005 Windows Credential Editor [1][6] OS Credential Dumping: LSASS Memory

References