Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа APT39
Риски
Каталоги
MITRE ATT&CK
Преступная группа
APT39
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

APT39

APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020)
ID: G0087
Associated Groups: Chafer, Remix Kitten, ITG07
Version: 3.2
Created: 19 Feb 2019
Last Modified: 11 Apr 2024

Associated Group Descriptions
Name Description
Chafer Activities associated with APT39 largely align with a group publicly referred to as Chafer.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: Dark Reading APT39 JAN 2019)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020)
Remix Kitten (Citation: Crowdstrike GTR2020 Mar 2020)
ITG07 (Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020)

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

APT39 has used HTTP in communications with C2.(Citation: BitDefender Chafer May 2020)(Citation: FBI FLASH APT39 September 2020)
.004 Application Layer Protocol: DNS

APT39 has used remote access tools that leverage DNS in communications with C2.(Citation: BitDefender Chafer May 2020)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

APT39 has used WinRAR and 7-Zip to compress an archive stolen data.(Citation: FireEye APT39 Jan 2019)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

APT39 has maintained persistence using the startup folder.(Citation: FireEye APT39 Jan 2019)
.009 Boot or Logon Autostart Execution: Shortcut Modification

APT39 has modified LNK shortcuts.(Citation: FireEye APT39 Jan 2019)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

APT39 has used PowerShell to execute malicious code.(Citation: BitDefender Chafer May 2020)(Citation: Symantec Chafer February 2018)
.005 Command and Scripting Interpreter: Visual Basic

APT39 has utilized malicious VBS scripts in malware.(Citation: FBI FLASH APT39 September 2020)

.006 Command and Scripting Interpreter: Python

APT39 has used a command line utility and a network scanner written in python.(Citation: BitDefender Chafer May 2020)(Citation: FBI FLASH APT39 September 2020)

.010 Command and Scripting Interpreter: AutoHotKey & AutoIT

APT39 has utilized AutoIt malware scripts embedded in Microsoft Office documents or malicious links.(Citation: FBI FLASH APT39 September 2020)

Enterprise T1136 .001 Create Account: Local Account

APT39 has created accounts on multiple compromised hosts to perform actions within the network.(Citation: BitDefender Chafer May 2020)
Enterprise T1074 .001 Data Staged: Local Data Staging

APT39 has utilized tools to aggregate data prior to exfiltration.(Citation: FBI FLASH APT39 September 2020)
Enterprise T1546 .010 Event Triggered Execution: AppInit DLLs

APT39 has used malware to set LoadAppInit_DLLs in the Registry key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows in order to establish persistence.(Citation: FBI FLASH APT39 September 2020)
Enterprise T1070 .004 Indicator Removal: File Deletion

APT39 has used malware to delete files after they are deployed on a compromised host.(Citation: FBI FLASH APT39 September 2020)
Enterprise T1056 .001 Input Capture: Keylogging

APT39 has used tools for capturing keystrokes.(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020)
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

APT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe.(Citation: BitDefender Chafer May 2020)(Citation: FBI FLASH APT39 September 2020)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials.(Citation: FireEye APT39 Jan 2019)
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

APT39 has packed tools with UPX, and has repacked a modified version of Mimikatz to thwart anti-virus detection.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)
.013 Obfuscated Files or Information: Encrypted/Encoded File

APT39 has used malware to drop encrypted CAB files.(Citation: FBI FLASH APT39 September 2020)

Enterprise T1588 .002 Obtain Capabilities: Tool

APT39 has modified and used customized versions of publicly-available tools like PLINK and Mimikatz.(Citation: BitDefender Chafer May 2020)(Citation: IBM ITG07 June 2019)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT39 leveraged spearphishing emails with malicious attachments to initially compromise victims.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020)
.002 Phishing: Spearphishing Link

APT39 leveraged spearphishing emails with malicious links to initially compromise victims.(Citation: FireEye APT39 Jan 2019)(Citation: FBI FLASH APT39 September 2020)

Enterprise T1090 .001 Proxy: Internal Proxy

APT39 used custom tools to create SOCK5 and custom protocol proxies between infected hosts.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)
.002 Proxy: External Proxy

APT39 has used various tools to proxy C2 communications.(Citation: BitDefender Chafer May 2020)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

APT39 has been seen using RDP for lateral movement and persistence, in some cases employing the rdpwinst tool for mangement of multiple sessions.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)
.002 Remote Services: SMB/Windows Admin Shares

APT39 has used SMB for lateral movement.(Citation: Symantec Chafer February 2018)

.004 Remote Services: SSH

APT39 used secure shell (SSH) to move laterally among their targets.(Citation: FireEye APT39 Jan 2019)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

APT39 has created scheduled tasks for persistence.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)(Citation: FBI FLASH APT39 September 2020)
Enterprise T1505 .003 Server Software Component: Web Shell

APT39 has installed ANTAK and ASPXSPY web shells.(Citation: FireEye APT39 Jan 2019)
Enterprise T1553 .006 Subvert Trust Controls: Code Signing Policy Modification

APT39 has used malware to turn off the RequireSigned feature which ensures only signed DLLs can be run on Windows.(Citation: FBI FLASH APT39 September 2020)
Enterprise T1569 .002 System Services: Service Execution

APT39 has used post-exploitation tools including RemCom and the Non-sucking Service Manager (NSSM) to execute processes.(Citation: BitDefender Chafer May 2020)(Citation: Symantec Chafer February 2018)
Enterprise T1204 .001 User Execution: Malicious Link

APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious link.(Citation: FireEye APT39 Jan 2019)(Citation: FBI FLASH APT39 September 2020)
.002 User Execution: Malicious File

APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious attachment.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020)

Enterprise T1102 .002 Web Service: Bidirectional Communication

APT39 has communicated with C2 through files uploaded to and downloaded from DropBox.(Citation: BitDefender Chafer May 2020)

Software
ID Name References Techniques
S0005 Windows Credential Editor (Citation: Amplia WCE) (Citation: Dark Reading APT39 JAN 2019) (Citation: FireEye APT39 Jan 2019) LSASS Memory
S0073 ASPXSpy (Citation: Dell TG-3390) (Citation: FireEye APT39 Jan 2019) Web Shell
S0006 pwdump (Citation: Symantec Chafer February 2018) (Citation: Wikipedia pwdump) Security Account Manager
S0454 Cadelspy (Citation: Symantec Chafer Dec 2015) Screen Capture, Keylogging, Audio Capture, Clipboard Data, Peripheral Device Discovery, System Information Discovery, Application Window Discovery, Archive Collected Data
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: BitDefender Chafer May 2020) (Citation: Dark Reading APT39 JAN 2019) (Citation: Deply Mimikatz) (Citation: FireEye APT39 Jan 2019) (Citation: Symantec Chafer February 2018) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0590 NBTscan (Citation: Debian nbtscan Nov 2019) (Citation: FireEye APT39 Jan 2019) (Citation: SecTools nbtscan June 2003) (Citation: Symantec Waterbug Jun 2019) System Owner/User Discovery, Network Sniffing, System Network Configuration Discovery, Remote System Discovery, Network Service Discovery
S0488 CrackMapExec (Citation: BitDefender Chafer May 2020) (Citation: CME Github September 2018) (Citation: FireEye APT39 Jan 2019) Windows Management Instrumentation, Password Guessing, Security Account Manager, LSA Secrets, Domain Account, Domain Groups, Network Share Discovery, System Information Discovery, Modify Registry, Password Spraying, System Network Configuration Discovery, File and Directory Discovery, System Network Connections Discovery, PowerShell, Brute Force, Password Policy Discovery, Remote System Discovery, Pass the Hash, NTDS, At
S0095 ftp (Citation: FBI FLASH APT39 September 2020) (Citation: Linux FTP) (Citation: Microsoft FTP) Lateral Tool Transfer, Ingress Tool Transfer, Commonly Used Port, Exfiltration Over Unencrypted Non-C2 Protocol
S0459 MechaFlounder (Citation: Unit 42 MechaFlounder March 2019) System Owner/User Discovery, Standard Encoding, Match Legitimate Resource Name or Location, Exfiltration Over C2 Channel, Python, Windows Command Shell, Web Protocols, Ingress Tool Transfer
S0375 Remexi (Citation: Securelist Remexi Jan 2019) (Citation: Symantec Chafer Dec 2015) (Citation: Symantec Chafer February 2018) Scheduled Task, Windows Management Instrumentation, Screen Capture, Keylogging, Encrypted/Encoded File, Clipboard Data, Deobfuscate/Decode Files or Information, Application Window Discovery, Archive Collected Data, Winlogon Helper DLL, File and Directory Discovery, Exfiltration Over C2 Channel, Registry Run Keys / Startup Folder, Windows Command Shell, Web Protocols, Visual Basic
S0029 PsExec (Citation: BitDefender Chafer May 2020) (Citation: FireEye APT39 Jan 2019) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) (Citation: Symantec Chafer February 2018) Windows Service, SMB/Windows Admin Shares, Domain Account, Lateral Tool Transfer, Service Execution

References

  1. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
  2. Dept. of Treasury. (2020, September 17). Treasury Sanctions Cyber Actors Backed by Iranian Intelligence. Retrieved December 10, 2020.
  3. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  4. DOJ. (2020, September 17). Department of Justice and Partner Departments and Agencies Conduct Coordinated Actions to Disrupt and Deter Iranian Malicious Cyber Activities Targeting the United States and the Broader International Community. Retrieved December 10, 2020.
  5. Higgins, K. (2019, January 30). Iran Ups its Traditional Cyber Espionage Tradecraft. Retrieved May 22, 2020.
  6. McMillen, D. Sperry, C. (2019, June 14). Observations of ITG07 Cyber Operations. Retrieved May 17, 2021.
  7. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  8. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  9. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
  10. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.