APT42
APT42 is an Iranian-sponsored threat group that conducts cyber espionage and surveillance.[1] The group primarily focuses on targets in the Middle East region, but has targeted a variety of industries and countries since at least 2015.[1] APT42 starts cyber operations through spearphishing emails and/or the PINEFLOWER Android malware, then monitors and collects information from the compromised systems and devices.[1] Finally, APT42 exfiltrates data using native features and open-source tools.[2]
APT42 activities have been linked to Magic Hound by other commercial vendors. While there are behavior and software overlaps between Magic Hound and APT42, they appear to be distinct entities and are tracked as separate entities by their originating vendor.
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
APT42 has used the PowerShell-based POWERPOST script to collect local account names from the victim machine.[1] |
| Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
APT42 has registered domains, several of which masqueraded as news outlets and login services, for use in operations.[1][3] |
| .003 | Acquire Infrastructure: Virtual Private Server |
APT42 has used anonymized infrastructure and Virtual Private Servers (VPSs) to interact with the victim’s environment.[1][2] |
||
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
APT42 has used tools such as NICECURL with command and control communication taking place over HTTPS.[2] |
| Enterprise | T1547 | Boot or Logon Autostart Execution | ||
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell | |
| .005 | Command and Scripting Interpreter: Visual Basic | |||
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers | |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding | |
| Enterprise | T1530 | Data from Cloud Storage |
APT42 has collected data from Microsoft 365 environments.[2][1] |
|
| Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
APT42 has used tools such as NICECURL with command and control communication taking place over HTTPS.[2] |
| Enterprise | T1585 | .002 | Establish Accounts: Email Accounts |
APT42 has created email accounts to use in spearphishing operations.[3] |
| Enterprise | T1656 | Impersonation |
APT42 has impersonated legitimate people in phishing emails to gain credentials.[1][3] |
|
| Enterprise | T1070 | Indicator Removal | ||
| .008 | Clear Mailbox Data |
APT42 has deleted login notification emails and has cleared the Sent folder to cover their tracks.[1] |
||
| Enterprise | T1056 | Input Capture | ||
| .001 | Keylogging | |||
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Resource Name or Location |
APT42 has masqueraded the VINETHORN payload as a VPN application.[1] |
| Enterprise | T1112 | Modify Registry |
APT42 has modified Registry keys to maintain persistence.[1] |
|
| Enterprise | T1111 | Multi-Factor Authentication Interception |
APT42 has intercepted SMS-based one-time passwords and has set up two-factor authentication.[1] Additionally, APT42 has used cloned or fake websites to capture MFA tokens.[2] |
|
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
APT42 has used built-in features in the Microsoft 365 environment and publicly available tools to avoid detection.[2] |
| Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
APT42 has sent spearphishing emails containing malicious links.[1][2][3] |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task | |
| Enterprise | T1113 | Screen Capture |
APT42 has used malware, such as GHAMBAR and POWERPOST, to take screenshots.[1] |
|
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
APT42 has used Windows Management Instrumentation (WMI) to check for anti-virus products.[2] |
| Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
APT42 has used its infrastructure for C2 and for staging the VINETHORN payload, which masqueraded as a VPN application.[1] |
| Enterprise | T1539 | Steal Web Session Cookie |
APT42 has used custom malware to steal login and cookie data from common browsers.[1] |
|
| Enterprise | T1082 | System Information Discovery |
APT42 has used malware, such as GHAMBAR and POWERPOST, to collect system information.[1] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
APT42 has used malware, such as GHAMBAR and POWERPOST, to collect network information.[1] |
|
| Enterprise | T1102 | Web Service |
APT42 has used various links, such as links with typo-squatted domains, links to Dropbox files and links to fake Google sites, in spearphishing operations.[2][1][3] |
|
| Enterprise | T1047 | Windows Management Instrumentation |
APT42 has used Windows Management Instrumentation (WMI) to query anti-virus products.[2] |
|