An Iran-linked cyber-espionage group responsible for widespread theft of data is using a broad range of custom and off-the-shelf tools, FireEye security researchers say.
Referred to as APT39, the group has been tracked since November 2014 and its activities largely align with the Chafer group, as well as with the OilRig cyberspies. Unlike other groups operating out of Iran, however, APT39 hasn’t been linked to influence operations, disruptive attacks, and other threats.
APT39 mainly targets the telecommunications and travel industries, likely aiming “to perform monitoring, tracking, or surveillance operations against specific individuals, collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities, or create additional accesses and vectors to facilitate future campaigns.”
The group has been created to bring together previous activities and methods used by the actor, FireEye notes in a report shared with SecurityWeek.
The hackers primarily use the SEAWEED and CACHEMONEY backdoors and a specific variant of the POWBAT backdoor, while concentrating activities in the Middle East, despite global targeting scope (U.S. and South Korea).
The actor has been also targeting high-tech industry and government entities. This suggests the group is also attempting to collect geopolitical data, but its key mission most likely remains the tracking or monitoring of targets of interest.
“We have moderate confidence APT39 operations are conducted in support of Iranian national interests based on regional targeting patterns focused in the Middle East, infrastructure, timing, and similarities to APT34, a group that loosely aligns with activity publicly reported as ‘OilRig’,” FireEye says.
Despite employing similar malware distribution methods, infrastructure nomenclature, targeting overlaps, and the POWBAT backdoor, APT39 appears different from APT34 due to the use of a different variant of the backdoor. However, the researchers note that the two groups could be working together or sharing resources at some level.
For initial compromise, the group uses spear-phishing emails carrying malicious attachments or URLs that usually lead to a POWBAT infection. The group targets vulnerable web servers of organizations to install web shells such as ANTAK and ASPXSPY and steal credentials for further compromise.
Post-infection, customer backdoors such as SEAWEED, CACHEMONEY, and a unique variant of POWBAT are used to establish a foothold in a target environment. Tools such as Mimikatz and Ncrack are also being used, along with legitimate tools such as Windows Credential Editor and ProcDump and the port scanner BLUETORCH.
For lateral movement, the group employs tools such as Remote Desktop Protocol (RDP), Secure Shell (SSH), PsExec, RemCom, and xCmdSvc. It was also observed using custom tools as REDTRIP, PINKTRIP, and BLUETRIP to create SOCKS5 proxies between infected hosts. Stolen data is usually compressed using WinRAR or 7-Zip.
“APT39’s targeting not only represents a threat to known targeted industries, but it extends to these organizations’ clientele, which includes a wide variety of sectors and individuals on a global scale. APT39’s activity showcases Iran’s potential global operational reach and how it uses cyber operations as a low-cost and effective tool to facilitate the collection of key data on perceived national security threats and gain advantages against regional and global rivals,” FireEye concludes.