An Iranian state-sponsored actor known for cyber espionage activities has been using enhanced social engineering tactics, such as posing as journalists and event organizers, to gain access into victim cloud environments, according to a joint Mandiant and Google Cloud research.
Tracked by Mandiant as APT42, with believed links to the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), the actor is targeting Western and Middle Eastern NGOs, media organizations, academia, legal services, and activists.
“APT42 targeting and missions are consistent with its assessed affiliation with the IRGC-IO, which is a part of the Iranian intelligence apparatus that is responsible for monitoring and preventing foreign threats to the Islamic Republic and domestic unrest,” Mandiant said in a blog. “APT42 activities overlap with the publicly reported actors CALANQUE (Google Threat Analysis Group), Charming Kitten (ClearSky and CERTFA), Mint Sandstorm/Phosphorus (Microsoft), TA453 (Proofpoint), Yellow Garuda (PwC), and ITG18 (IBM X-Force).”
Apart from cloud campaigns, the threat actor is also associated with malware-based activities, specifically operating two custom backdoors, NICECURL and TAMECAT.
Harvesting Microsoft, Google, and Yahoo credentials
Mandiant reported identifying different clusters of infrastructure used by APT42 to harvest credentials from targets in the policy and government sectors, media organizations and journalists, and NGOs and activists.
These credentials-harvesting operations began with social engineering to gain initial access to victim networks, “often involving ongoing trust-building correspondence with the victim,” according to the research.
“Only then the desired credentials are acquired, and multi-factor authentication (MFA) is bypassed, by serving a cloned website to capture the MFA token (which failed) and later by sending MFA push notifications to the victim (which succeeded),” Mandiant said.
These campaigns were carried out in three subsequent steps, Mandiant added. It starts with the victim being tricked into clicking on malicious links with lures that include content related to Iran and other foreign affairs topics. Once clicked the links send victims to fake websites posing as legitimate services, news outlets, and NGOs. Finally, the victims are redirected to fake Microsoft, Google, or Yahoo login pages where harvesting is then carried out.
“APT42 enhanced their campaign credibility by using decoy material inviting targets to legitimate and relevant events and conferences,” the blog added. “In one instance, the decoy material was hosted on an attacker-controlled SharePoint folder, accessible only after the victim entered their credentials. Mandiant did not identify malicious elements in the files, suggesting they were used solely to gain the victim’s trust.”
To avoid detection, the threat actor deployed multiple defense evasion techniques, that included relying on in-built and publicly available tools of the Microsoft 365 environment, using anonymized infrastructure, and masquerading as the victim’s organization while exfiltrating files to OneDrive.
Spear Phishing for dropping malware
In addition to the credentials harvesting campaigns, the threat actor was observed deploying two custom backdoors. TAMECAT, a PowerShell toehold that can execute arbitrary PowerShell or C# commands, was identified by Mandiant in March 2024 and dropped by phishing through malicious macro documents.
“Mandiant previously observed TAMECAT used in a large-scale APT42 spear-phishing campaign targeting individuals or entities employed by or affiliated with NGOs, government, or intergovernmental organizations around the world,” the blog added.
In January 2024, the research came upon a malicious Sothink logo maker (LMK) file downloading NICECURL, a backdoor written in VBScript that can download additional modules to be executed, including data mining and arbitrary command execution. The LMK file was accompanied by a PDF decoy that masqueraded as an Interview Feedback Form of the Harvard T.H. Chan School of Public Health.
“Both of these backdoors were delivered with decoy content and provide APT42 operators with initial access to the targets,” Mandiant added. “The backdoors provide a flexible code-execution interface that may be used as a jumping point to deploy additional malware or to manually execute commands on the device.”
The blog added a list of Indicators of compromise (IoCs), which included the names of the news outlets and research institutes, legitimate services, generic login services, URL shortening services, mailer daemon, and file sharing services used by the threat actor.