One Article Review
| Source |  Mandiant |
|---|---|
| Identifiant | 8500390 |
| Date de publication | 2024-05-01 14:00:00 (vue: 2024-05-15 19:06:53) |
| Titre | Uncharmed: Untangling Iran\'s APT42 Operations |
| Texte | Written by: Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, Jonathan Leathery
APT42, an Iranian state-sponsored cyber espionage actor, is using enhanced social engineering schemes to gain access to victim networks, including cloud environments. The actor is targeting Western and Middle Eastern NGOs, media organizations, academia, legal services and activists. Mandiant assesses APT42 operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). APT42 was observed posing as journalists and event organizers to build trust with their victims through ongoing correspondence, and to deliver invitations to conferences or legitimate documents. These social engineering schemes enabled APT42 to harvest credentials and use them to gain initial access to cloud environments. Subsequently, the threat actor covertly exfiltrated data of strategic interest to Iran, while relying on built-in features and open-source tools to avoid detection. In addition to cloud operations, we also outline recent malware-based APT42 operations using two custom backdoors: NICECURL and TAMECAT. These backdoors are delivered via spear phishing, providing the attackers with initial access that might be used as a command execution interface or as a jumping point to deploy additional malware. APT42 targeting and missions are consistent with its assessed affiliation with the IRGC-IO, which is a part of the Iranian intelligence apparatus that is responsible for monitoring and preventing foreign threats to the Islamic Republic and domestic unrest. APT42 activities overlap with the publicly reported actors CALANQUE (Google Threat Analysis Group), Charming Kitten (ClearSky and CERTFA), Mint Sandstorm/Phosphorus (Microsoft), TA453 (Proofpoint), Yellow Garuda (PwC), and ITG18 ( |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | $bytesofres $command; $commandpart $commandparts $env:appdata+ $env:localappdata $language $mac $macp $s1 $s2 $s3 $startstop $wvp &h01000 &prog=2 *** *ke +$Qgv +$gggzk +$jt5 +$jwv +$kg9+$sk +$kq4 +$llia +$lp +$lp2 +$mg4 +$ni2 +$nwk +$rfi +$rl +$sja +$ssro +$ta8 +$tkk +$vl +$wowoph +$wwkb +$wwqf +$xme +$xy9 +$yoe +$ywa +$zue ++$ico /min 081419a484bbf99f278ce636d445b9d8 0t9r1y1m2e0n0o1w 10: 11: 12: 12th 13: 13aa118181ac6a202f0a64c0c7a61ce7 14: 15: 16: 17: 18: 19: 2019 2021 2022 2022–2023 2023 2023/j03py3r 2023” 2024 20: 21: 22: 2f6bf8586ed0a87ef3d156124de32757 347b273df245f5e1fcbef32f5b836f1d 365 853687659483d215309941dae391a68f 9c5337e0b1aef2657948fd5e82bdb4c3 |
| Tags | Malware Tool Threat Cloud |
| Stories | Yahoo APT 35 APT 42 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.