Iranian APT group APT42 leverages social engineering tactics like journalist impersonation to target cloud environments of NGOs, media, academia, and legal entities in the West and Middle East.
They exploit stolen credentials to gain initial access, then use built-in tools and open-source malware like NICECURL and TAMECAT to exfiltrate interest data while evading detection aligned with the IRGC-IO’s goals.
APT42, an Iranian cyberespionage group, harvests credentials through spearphishing campaigns with social engineering by targeting users in government, media, and NGOs with emails that impersonate legitimate news outlets and NGOs (e.g., The Washington Post, The Economist).
The emails contain links to fake login pages (often on typo-squatted domains) designed to steal credentials for Microsoft, Yahoo, and Google accounts.
It uses Cluster B websites (e.g., .top, .online) disguised as legitimate services (login pages, file hosting, YouTube) to steal credentials and target individuals seen as a threat (journalists, activists) via spearphishing emails with fake invitations or documents.
The emails contain links that redirect to fake login pages mimicking real services (Gmail, Google Drive, Google Meet) hosted on compromised platforms (Google Sites, Dropbox). APT42 also uses URL shorteners to mask malicious links.
They target individuals in defense, foreign affairs, and academia through spearphishing emails disguised as legitimate services (NGOs, Mailer Daemon) or cloud documents, which contain URLs with leetspeak encoding that lead to credential harvesting sites mimicking Microsoft 365 logins.
Once credentials are stolen, APT42 bypasses MFA through cloned websites or phishing for push notifications, and by compromising Microsoft 365 environments with these techniques, it exfiltrates sensitive information from victims’ cloud storage.
It targets victims via social engineering emails impersonating NGOs and leverages decoy materials to build trust. Once trust is established, it sends phishing links redirecting to credential harvesting pages disguised as legitimate logins, potentially with MFA bypass techniques.
After gaining access, APT42 uses various tools to explore the compromised environment, steal data of interest (e.g., foreign affairs documents), and exfiltrate it to cloud storage like OneDrive.
To minimize their footprint, it relies on built-in Microsoft features, publicly available tools, and anonymized infrastructure and deletes traces of their activity.
They used NICECURL, a VBScript backdoor, in spearphishing attacks, which can download additional modules and receive commands, as it disguised malicious LNK files as PDF documents. The LNK files downloaded NICECURL from glitch.me subdomains.
According to Google Cloud, in February, another NICECURL variant downloaded a decoy PDF about empowering women, which likely targeted an Australian victim.
The TAMECAT backdoor execution leverages a downloader script to check for Windows Defender and download a PowerShell script (nconf.txt) accordingly, and then downloads an additional PowerShell script (df32s.txt) to decrypt the embedded TAMECAT backdoor using a hardcoded AES key and IV.
The decrypted TAMECAT backdoor writes a victim identifier. It sends a post request to a C2 server with information about the infected system. If the response is successful, the backdoor can then receive commands from the C2 server to download additional content or execute PowerShell/C# code.
Stay updated on Cybersecurity news, whitepapers, and Infographics. Follow us on LinkedIn & Twitter.