Active since at least 2015, APT42 is characterized by highly targeted spear phishing and surveillance operations against individuals and organizations of strategic interest to Iran. The group’s operations, which are designed to build trust and rapport with their victims, have included accessing the personal and corporate email accounts of government officials, former Iranian policymakers or political figures, members of the Iranian diaspora and opposition groups, journalists, and academics who are involved in research on Iran. After gaining access, the group has deployed mobile malware capable of tracking victim locations, recording phone conversations, accessing videos and images, and extracting entire SMS inboxes.
TAGS: logon autostart, APT42, Phishing, Keylogger, Malware, Credential harvesting, Powershell, Powerpost, Scheduled Task, VineThorn, Pineflower, Ghambler, Chairsmack, Dostealer
GROUP: APT
ADVERSARY: APT 42
INDUSTRIES: Healthcare, Manufacturing, Pharmaceuticals, Government, Education
TARGETED COUNTRIES: United States of America, United Kingdom of Great Britain and Northern Ireland, Israel
MALWARE FAMILIES: VineThorn, Pineflower
ATT&CK IDS: T1003 - OS Credential Dumping, T1012 - Query Registry, T1016 - System Network Configuration Discovery, T1021 - Remote Services, T1027 - Obfuscated Files or Information, T1047 - Windows Management Instrumentation, T1055 - Process Injection, T1056 - Input Capture, T1056.001 - Keylogging, T1059 - Command and Scripting Interpreter, T1059.001 - PowerShell, T1070 - Indicator Removal on Host, T1071 - Application Layer Protocol, T1082 - System Information Discovery, T1083 - File and Directory Discovery, T1087 - Account Discovery, T1098 - Account Manipulation, T1111 - Two-Factor Authentication Interception, T1112 - Modify Registry, T1133 - External Remote Services, T1134 - Access Token Manipulation, T1140 - Deobfuscate/Decode Files or Information, T1193 - Spearphishing Attachment, T1204 - User Execution, T1221 - Template Injection, T1497 - Virtualization/Sandbox Evasion, T1518 - Software Discovery, T1543 - Create or Modify System Process, T1547 - Boot or Logon Autostart Execution, T1564 - Hide Artifacts, T1566 - Phishing, T1569 - System Services, T1583 - Acquire Infrastructure, T1584 - Compromise Infrastructure, T1587 - Develop Capabilities, T1587.001 - Malware, T1588 - Obtain Capabilities
Read More:
Comments