Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Iran-Linked Hackers Use Array of Tools to Steal Data: FireEye

An Iran-linked cyber-espionage group responsible for widespread theft of data is using a broad range of custom and off-the-shelf tools, FireEye security researchers say. 

An Iran-linked cyber-espionage group responsible for widespread theft of data is using a broad range of custom and off-the-shelf tools, FireEye security researchers say. 

Referred to as APT39, the group has been tracked since November 2014 and its activities largely align with the Chafer group, as well as with the OilRig cyberspies. Unlike other groups operating out of Iran, however, APT39 hasn’t been linked to influence operations, disruptive attacks, and other threats.

APT39 mainly targets the telecommunications and travel industries, likely aiming “to perform monitoring, tracking, or surveillance operations against specific individuals, collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities, or create additional accesses and vectors to facilitate future campaigns.”

The group has been created to bring together previous activities and methods used by the actor, FireEye notes in a report shared with SecurityWeek

The hackers primarily use the SEAWEED and CACHEMONEY backdoors and a specific variant of the POWBAT backdoor, while concentrating activities in the Middle East, despite global targeting scope (U.S. and South Korea). 

The actor has been also targeting high-tech industry and government entities. This suggests the group is also attempting to collect geopolitical data, but its key mission most likely remains the tracking or monitoring of targets of interest. 

“We have moderate confidence APT39 operations are conducted in support of Iranian national interests based on regional targeting patterns focused in the Middle East, infrastructure, timing, and similarities to APT34, a group that loosely aligns with activity publicly reported as ‘OilRig’,” FireEye says. 

Despite employing similar malware distribution methods, infrastructure nomenclature, targeting overlaps, and the POWBAT backdoor, APT39 appears different from APT34 due to the use of a different variant of the backdoor. However, the researchers note that the two groups could be working together or sharing resources at some level.

Advertisement. Scroll to continue reading.

For initial compromise, the group uses spear-phishing emails carrying malicious attachments or URLs that usually lead to a POWBAT infection. The group targets vulnerable web servers of organizations to install web shells such as ANTAK and ASPXSPY and steal credentials for further compromise. 

Post-infection, customer backdoors such as SEAWEED, CACHEMONEY, and a unique variant of POWBAT are used to establish a foothold in a target environment. Tools such as Mimikatz and Ncrack are also being used, along with legitimate tools such as Windows Credential Editor and ProcDump and the port scanner BLUETORCH.

For lateral movement, the group employs tools such as Remote Desktop Protocol (RDP), Secure Shell (SSH), PsExec, RemCom, and xCmdSvc. It was also observed using custom tools as REDTRIP, PINKTRIP, and BLUETRIP to create SOCKS5 proxies between infected hosts. Stolen data is usually compressed using WinRAR or 7-Zip.

“APT39’s targeting not only represents a threat to known targeted industries, but it extends to these organizations’ clientele, which includes a wide variety of sectors and individuals on a global scale. APT39’s activity showcases Iran’s potential global operational reach and how it uses cyber operations as a low-cost and effective tool to facilitate the collection of key data on perceived national security threats and gain advantages against regional and global rivals,” FireEye concludes. 

Related: Israel Blocks Iran Cyber-attacks ‘Daily’

Related: Iran-Linked DNS Hijacking Attacks Target Organizations Worldwide

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.