May 4, 2024 at 12:19PM
APT42, an Iranian state-backed threat actor, is using social engineering, specifically posing as journalists, to breach Western and Middle Eastern corporate networks and cloud environments. The group, affiliated with Iran’s IRGC-IO, targets NGOs, media outlets, and more. They employ custom backdoors “Nicecurl” and “Tamecat” to gain access and exfiltrate data.
From the meeting notes, here are the key takeaways:
1. Threat Actor:
– APT42, a state-backed group based in Iran, is using social engineering tactics, posing as journalists and other personas, to breach corporate networks and cloud environments in Western and Middle Eastern countries.
2. Tactics and Techniques:
– APT42 employs social engineering and spear-phishing attacks to infect targets with custom backdoors named “Nicecurl” and “Tamecat.”
– The group uses typosquatted domains to impersonate legitimate media organizations and uses fake personas to build trust with victims before sending malicious links or emails.
3. Targeted Entities:
– APT42 targets NGOs, media outlets, educational institutes, activists, legal services, and other organizations.
4. Malware Details:
– APT42 uses two custom backdoors, Nicecurl and Tamecat, for command execution, data exfiltration, and system manipulation. Tamecat is particularly sophisticated, obfuscating its communication and dynamically updating its configuration to evade detection.
5. Mitigation:
– APT42 takes measures to evade detection, including using built-in cloud tools, clearing browsing history, and using email addresses that appear to belong to the victimized organization.
6. Attribution and IoCs:
– The group uses ExpressVPN nodes, Cloudflare-hosted domains, and ephemeral VPS servers, making attribution more challenging.
– Further details and indicators of compromise can be found in Google’s report and the full list of Indicators of Compromise (IoCs) for the recent APT42 campaign.