APT42 Operations From Credential Harvesting to Custom Malware Deployment

Since as early as 2019, the Iranian state-sponsored hacker group APT42 has been orchestrating deceptive campaigns that cleverly impersonate well-known organizations. Their activities, which overlap with those of groups known as CALANQUE, Charming Kitten, ITG18, Mint Sandstorm, TA453, and Yellow Garuda, have been analyzed in a report by Google Cloud. Operating under the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), APT42 actively targets a broad range of sectors across the Western and Middle Eastern regions, including government, NGOs, media, academia, legal sectors, and activists. By posing as legitimate entities, the group skillfully lures individuals into divulging login credentials, which are then used to fulfill intelligence collection objectives and enable further intrusions into sensitive environments, serving Iranian interests.

Google Cloud has identified three distinct clusters of APT42 activity, where the group masquerades as reputable entities to lure victims. "These operations began with enhanced social engineering schemes to gain initial access to victim networks, often involving ongoing trust-building correspondence with the victim. Only then the desired credentials are acquired and multi-factor authentication (MFA) is bypassed, by serving a cloned website to capture the MFA token (which failed) and later by sending MFA push notifications to the victim (which succeeded)," according to a detailed report by Google Cloud researchers. These clusters target professionals within policy, government, media, academia, and NGOs, utilizing highly tailored spear-phishing tactics. For example, they impersonate familiar news outlets and NGOs using fake domains that seem legitimate. These fraudulent domains redirect victims to fake login pages where credentials are compromised.

APT42's credential harvesting operations also serve to offer the operators an opportunity to infiltrate the Microsoft 365 environments of their targets, leveraging the stolen credentials. Their attack lifecycle is methodical, involving building trust through ongoing interactions, harvesting credentials through deceptive tactics, and ultimately infiltrating cloud environments to access sensitive data. These strategies showcase APT42's ability to manipulate human behavior and exploit trusted communications for malicious purposes. Their operations not only demonstrate their technical expertise but also strategic planning in conducting long-term espionage activities. The tactics, techniques, and procedures (TTPs) utilized by APT42 highlight a refined blend of social engineering and technological manipulations aimed at harvesting credentials, which then facilitate further access to sensitive cloud environments.

Further in-depth analysis of APT42's operations reveals capabilities of deploying custom backdoors such as NICECURL and TAMECAT. These VBScript backdoors enable persistent access and command execution capabilities within compromised systems. NICECURL, for example, can download additional modules with curl.exe and execute arbitrary commands via HTTPS, allowing it to extend its functionality stealthily. It is often delivered through malicious LNK files that masquerade as benign documents, like an interview feedback form, enticing users to execute them inadvertently. TAMECAT, similarly, is distributed via spear-phishing. Upon execution, it uses a VBScript to assess the environment's security capabilities, adapting its deployment method to the presence of antivirus products. It may use direct PowerShell commands or alternative downloading mechanisms via CMD to fetch and execute its payload from remote servers. These scripts are sophisticated enough to bypass multifactor authentication by manipulating session tokens or pushing fraudulent authentication requests, significantly complicating the detection efforts by security teams. "The methods deployed by APT42 leave a minimal footprint and might make the detection and mitigation of their activities more challenging for network defenders," explain Google Cloud researchers.

Understanding APT42’s attack lifecycle and the sequential flow of these attacks—from initial credential harvesting to the deployment of malware and subsequent command and control activities—is crucial. Google Cloud’s detailed breakdown of attack vectors and associated malware aids in the detection and mitigation of such threats and enhances preparedness against similar tactics by other adversarial entities. Insights into APT42’s consistent victim profile and social engineering campaigns are reflected in an alert issued last year by the U.K. National Cyber Security Centre (NCSC), highlighting the persistent threat of increased cyber activity, particularly spear-phishing campaigns from groups like SEABORGIUM and APT42 with the intent to gather intelligence.