Iran-Linked APT39 group use off-the-shelf tools to steal data

An Iran-linked cyber-espionage group tracked as APT39 is carrying out a widespread campaign using a broad range of custom and off-the-shelf tools.

The APT39 cyberespionage group is carrying out a widespread campaign using a broad range of custom and off-the-shelf tools. The group has been active at least since November 2014, its operations are aligned with the ones attributed to the Chafer group and OilRig groups, it brings together TTPs used by both actors.

APT39 cyber spies focused their operations in the Middle East, other entities targeted by the group are the U.S. and South Korea. Most of the victims belong to the telecommunications and travel industries, cyber spies also targeted high-tech industry and government.

“APT39 primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39’s targeting scope is global, its activities are concentrated in the Middle East.” reads the report published by FireEye.

“APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.”

The operations collected by the APT39 group aims to collect geopolitical data along with monitoring targets of interest. 

Experts observed an overlap between malware distribution techniques and command and control infrastructures used by APT39 and the ones observed in campaign associated with other Iran-linked APT groups.

Researchers at FireEye pointed out that the POWBAT backdoor used by the APT39 group is different from the one used by the APT34, but they don’t exclude a close collaboration between the two crews collaborate.

“While APT39 and APT34 share some similarities, including malware distribution methods, POWBAT backdoor use, infrastructure nomenclature, and targeting overlaps, we consider APT39 to be distinct from APT34 given its use of a different POWBAT variant. It is possible that these groups work together or share resources at some level.” continues the report.

Initial compromise leverages spear-phishing messages using malicious attachments or including URLs that point to a POWBAT infection. Furthermore, cyberspies also target vulnerable web servers of organizations to install web shells such as ANTAK and ASPXSPY, attackers used stolen legitimate credentials to compromise externally facing Outlook Web Access (OWA) resources.

In the post-infection phase, the threat actors leverage custom backdoors such as SEAWEED, CACHEMONEY, and a unique variant of POWBAT that is used by attackers to gain a foothold in a target environment.

Attackers use tools like Mimikatz and Ncrack, along with legitimate tools such as Windows Credential Editor and ProcDump and the port scanner BLUETORCH.

Once inside the target environment, for lateral movement that attackers use tools such as Remote Desktop Protocol (RDP), Secure Shell (SSH), PsExec, RemCom, and xCmdSvc. Other custom tools used by the threat actors are as REDTRIP, PINKTRIP, and BLUETRIP that allow them to create SOCKS5 proxies between infected hosts.

APT39 use to compress data using WinRAR or 7-Zip before exfiltrating it.

“APT39’s targeting not only represents a threat to known targeted industries, but it extends to these organizations’ clientele, which includes a wide variety of sectors and individuals on a global scale.” FireEye concludes. 

“APT39’s activity showcases Iran’s potential global operational reach and how it uses cyber operations as a low-cost and effective tool to facilitate the collection of key data on perceived national security threats and gain advantages against regional and global rivals,”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – IRAN, APT39)

[adrotate banner=”5″] [adrotate banner=”13″]

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.