Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

Iranian Cyberspies Hit Targets With New Backdoors

Iranian state-sponsored group APT42 is targeting NGOs, government, and intergovernmental organizations with two new backdoors.

The Iranian state-sponsored cyberespionage group APT42 has been using two new backdoors in recent attacks targeting NGOs, government, and intergovernmental organizations, Google Cloud’s Mandiant reports.

Also tracked as Calanque and UNC788 and active since at least 2015, APT42 is believed to operate on behalf of the Islamic Revolutionary Guard Corps (IRGC), which is a part of the Iranian intelligence apparatus.

The group has been observed targeting academia, activists, legal services, media organizations, and NGOs in Western and Middle Eastern countries, typically relying on social engineering schemes, posing as journalists and event organizers to gain the trust of victims.

APT42 uses credentials harvested from its victims to access cloud environments and exfiltrate data of interest, and relies on open source tools and built-in features to avoid detection.

Diving into the group’s activities, Mandian has identified three clusters of infrastructure used in extensive credential harvesting campaigns against the government sector, journalists, and NGOs and activists.

Masquerading as media organizations and NGOs and active since 2021, the first cluster targets journalists, geopolitical entities, and researchers with links to fake news articles redirecting to a Google login phishing page.

The second cluster, active since 2019 and posing as legitimate services, targets researchers, journalists, NGOs, and activists with event invitations or legitimate documents hosted on cloud infrastructure, which require users to provide their login credentials.

Active since 2022 and posing as NGOs, the Bitly URL shortening service, and ‘Mailer Daemon’, the third cluster targets entities associated with academic, defense, and foreign affair issues in the US and Israel with links to invitations and legitimate documents.

Advertisement. Scroll to continue reading.

Additionally, in 2022 and 2023, APT42 was seen exfiltrating documents of interest from the Microsoft 365 environments of legal services entities and NGOs in the US and the UK, after obtaining victim credentials and bypassing multi-factor authentication (MFA) through push notifications.

In more recent attacks, the cyberespionage group was seen deploying the Nicecurl and Tamecat custom backdoors in attacks targeting NGOs, government, or intergovernmental organizations associated with issues related to Iran and the Middle East.

Written in VBScript, Nicecurl can drop additional modules on the infected machines, including one for data harvesting and another for arbitrary command execution. In January and February 2024, APT42 was seen impersonating a Middle East institute and a US think tank to distribute the backdoor.

Tamecat, a PowerShell tool capable of executing PowerShell and C# content, was being distributed via documents with malicious macros.

“APT42 has remained relatively focused on intelligence collection and targeting similar victimology, despite the Israel-Hamas war that has led other Iran-nexus actors to adapt by conducting disruptive, destructive, and hack-and-leak activities. In addition to deploying custom implants on compromised devices, APT42 was also observed conducting extensive cloud operations,” Mandiant notes.

The cybersecurity firm also notes that some of APT42’s activities overlap with the operations of Charming Kitten, an infamous Iranian hacking group also tracked as Mint Sandstorm, Phosphorus, TA453, ITG18, and Yellow Garuda.

Related: US Charges Iranian Over Cyberattacks on Government, Defense Organizations

Related: Iranian Hackers Target Aviation and Defense Sectors in Middle East

Related: Iran Ramps Up Cyberattacks on Israel Amid Hamas Conflict: Microsoft

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...

Nation-State

A China-linked hackers are exploiting a vulnerability (CVE-2022-42475 ) in Fortinet FortiOS SSL-VPN, Mandiant claims.

Nation-State

A nation-state threat actor accessed internal Cloudflare systems using credentials stolen during the Okta hack.