Beware: APT42 Cyber Spies Target the West

The cyberespionage group APT42 employs social engineering to infiltrate corporate networks and cloud environments in the West and the Middle East.

Mandiant, which first documented the group’s activities in September 2022, reports that APT42 has been active since 2015 and has conducted at least 30 operations across 14 countries.

APT42 primarily targets non-governmental organizations, media outlets, educational institutions, activists, and legal services. Google analysts monitoring the group’s operations indicate that the infections are carried out using malicious emails featuring two customizable backdoors—Nicecurl and Tamecat. These tools enable command execution and data theft.

APT42 often masquerades as various media outlets, including The Washington Post (USA), The Economist (UK), The Jerusalem Post (IL), Khaleej Times (UAE), and Azadliq (Azerbaijan), frequently utilizing typosquatting domains such as “washinqtonpost[.]press.”

Impersonating journalists, NGO representatives, or event organizers, APT42 sends messages from domains mimicking legitimate ones. During communication, the attackers strive to gain the victim’s trust before sending a link to a document that redirects to fake login pages mimicking well-known services like Google and Microsoft. The phishing sites steal not only the victim’s credentials but also multi-factor authentication tokens.

To strengthen their foothold in infected networks and evade detection, APT42 utilizes cloud tool functionalities, clears Google Chrome history, and uses email addresses that appear to belong to victim organizations for exfiltrating files to OneDrive accounts.

Furthermore, to maintain the anonymity of their operations, APT42 employs ExpressVPN nodes, domains hosted on Cloudflare, and temporary VPS servers. Additionally, the group uses the backdoors Nicecurl and Tamecat:

• Nicecurl is a VBScript-based backdoor capable of executing commands, downloading and executing additional payloads, or performing data mining on the infected host.
• Tamecat is a more sophisticated PowerShell backdoor capable of executing arbitrary PowerShell code or C# scripts, providing APT42 with significant operational flexibility for data theft and extensive system manipulation. Tamecat can also dynamically update its configuration to avoid detection.

Researchers from Mandiant have noted that APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC), and its tactics, techniques, and procedures (TTPs) closely resemble those of APT35—another Iranian group known as Charming Kitten and Phosphorus.

APT42 specializes in targeted phishing against both corporate and personal email accounts. Victims of APT42 span at least 14 countries, including the USA, Australia, countries in Europe and the Middle East, and encompass government officials, former Iranian politicians, members of the Iranian diaspora, opposition groups, journalists, and scholars.