The Iranian state-sponsored cyberespionage group APT42 has been using two new backdoors in recent attacks targeting NGOs, government, and intergovernmental organizations, Google Cloud’s Mandiant reports.
Also tracked as Calanque and UNC788 and active since at least 2015, APT42 is believed to operate on behalf of the Islamic Revolutionary Guard Corps (IRGC), which is a part of the Iranian intelligence apparatus.
The group has been observed targeting academia, activists, legal services, media organizations, and NGOs in Western and Middle Eastern countries, typically relying on social engineering schemes, posing as journalists and event organizers to gain the trust of victims.
APT42 uses credentials harvested from its victims to access cloud environments and exfiltrate data of interest, and relies on open source tools and built-in features to avoid detection.
Diving into the group’s activities, Mandian has identified three clusters of infrastructure used in extensive credential harvesting campaigns against the government sector, journalists, and NGOs and activists.
Masquerading as media organizations and NGOs and active since 2021, the first cluster targets journalists, geopolitical entities, and researchers with links to fake news articles redirecting to a Google login phishing page.
The second cluster, active since 2019 and posing as legitimate services, targets researchers, journalists, NGOs, and activists with event invitations or legitimate documents hosted on cloud infrastructure, which require users to provide their login credentials.
Active since 2022 and posing as NGOs, the Bitly URL shortening service, and ‘Mailer Daemon’, the third cluster targets entities associated with academic, defense, and foreign affair issues in the US and Israel with links to invitations and legitimate documents.
Additionally, in 2022 and 2023, APT42 was seen exfiltrating documents of interest from the Microsoft 365 environments of legal services entities and NGOs in the US and the UK, after obtaining victim credentials and bypassing multi-factor authentication (MFA) through push notifications.
In more recent attacks, the cyberespionage group was seen deploying the Nicecurl and Tamecat custom backdoors in attacks targeting NGOs, government, or intergovernmental organizations associated with issues related to Iran and the Middle East.
Written in VBScript, Nicecurl can drop additional modules on the infected machines, including one for data harvesting and another for arbitrary command execution. In January and February 2024, APT42 was seen impersonating a Middle East institute and a US think tank to distribute the backdoor.
Tamecat, a PowerShell tool capable of executing PowerShell and C# content, was being distributed via documents with malicious macros.
“APT42 has remained relatively focused on intelligence collection and targeting similar victimology, despite the Israel-Hamas war that has led other Iran-nexus actors to adapt by conducting disruptive, destructive, and hack-and-leak activities. In addition to deploying custom implants on compromised devices, APT42 was also observed conducting extensive cloud operations,” Mandiant notes.
The cybersecurity firm also notes that some of APT42’s activities overlap with the operations of Charming Kitten, an infamous Iranian hacking group also tracked as Mint Sandstorm, Phosphorus, TA453, ITG18, and Yellow Garuda.
Related: US Charges Iranian Over Cyberattacks on Government, Defense Organizations
Related: Iranian Hackers Target Aviation and Defense Sectors in Middle East
Related: Iran Ramps Up Cyberattacks on Israel Amid Hamas Conflict: Microsoft