APT39
Associated Group Descriptions |
|
Name | Description |
---|---|
Remix Kitten | (Citation: Crowdstrike GTR2020 Mar 2020) |
ITG07 | (Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020) |
Chafer | Activities associated with APT39 largely align with a group publicly referred to as Chafer.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: Dark Reading APT39 JAN 2019)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
APT39 has used HTTP in communications with C2.(Citation: BitDefender Chafer May 2020)(Citation: FBI FLASH APT39 September 2020) |
.004 | Application Layer Protocol: DNS |
APT39 has used remote access tools that leverage DNS in communications with C2.(Citation: BitDefender Chafer May 2020) |
||
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
APT39 has used WinRAR and 7-Zip to compress an archive stolen data.(Citation: FireEye APT39 Jan 2019) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
APT39 has maintained persistence using the startup folder.(Citation: FireEye APT39 Jan 2019) |
.009 | Boot or Logon Autostart Execution: Shortcut Modification |
APT39 has modified LNK shortcuts.(Citation: FireEye APT39 Jan 2019) |
||
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
APT39 has used PowerShell to execute malicious code.(Citation: BitDefender Chafer May 2020)(Citation: Symantec Chafer February 2018) |
.005 | Command and Scripting Interpreter: Visual Basic |
APT39 has utilized malicious VBS scripts in malware.(Citation: FBI FLASH APT39 September 2020) |
||
.006 | Command and Scripting Interpreter: Python |
APT39 has used a command line utility and a network scanner written in python.(Citation: BitDefender Chafer May 2020)(Citation: FBI FLASH APT39 September 2020) |
||
.010 | Command and Scripting Interpreter: AutoHotKey & AutoIT |
APT39 has utilized AutoIt malware scripts embedded in Microsoft Office documents or malicious links.(Citation: FBI FLASH APT39 September 2020) |
||
Enterprise | T1136 | .001 | Create Account: Local Account |
APT39 has created accounts on multiple compromised hosts to perform actions within the network.(Citation: BitDefender Chafer May 2020) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
APT39 has utilized tools to aggregate data prior to exfiltration.(Citation: FBI FLASH APT39 September 2020) |
Enterprise | T1546 | .010 | Event Triggered Execution: AppInit DLLs |
APT39 has used malware to set |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
APT39 has used malware to delete files after they are deployed on a compromised host.(Citation: FBI FLASH APT39 September 2020) |
Enterprise | T1056 | .001 | Input Capture: Keylogging |
APT39 has used tools for capturing keystrokes.(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020) |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
APT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe.(Citation: BitDefender Chafer May 2020)(Citation: FBI FLASH APT39 September 2020) |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials.(Citation: FireEye APT39 Jan 2019) |
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
APT39 has packed tools with UPX, and has repacked a modified version of Mimikatz to thwart anti-virus detection.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020) |
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
APT39 has used malware to drop encrypted CAB files.(Citation: FBI FLASH APT39 September 2020) |
||
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
APT39 has modified and used customized versions of publicly-available tools like PLINK and Mimikatz.(Citation: BitDefender Chafer May 2020)(Citation: IBM ITG07 June 2019) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
APT39 leveraged spearphishing emails with malicious attachments to initially compromise victims.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020) |
.002 | Phishing: Spearphishing Link |
APT39 leveraged spearphishing emails with malicious links to initially compromise victims.(Citation: FireEye APT39 Jan 2019)(Citation: FBI FLASH APT39 September 2020) |
||
Enterprise | T1090 | .001 | Proxy: Internal Proxy |
APT39 used custom tools to create SOCK5 and custom protocol proxies between infected hosts.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020) |
.002 | Proxy: External Proxy |
APT39 has used various tools to proxy C2 communications.(Citation: BitDefender Chafer May 2020) |
||
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
APT39 has been seen using RDP for lateral movement and persistence, in some cases employing the rdpwinst tool for mangement of multiple sessions.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020) |
.002 | Remote Services: SMB/Windows Admin Shares |
APT39 has used SMB for lateral movement.(Citation: Symantec Chafer February 2018) |
||
.004 | Remote Services: SSH |
APT39 used secure shell (SSH) to move laterally among their targets.(Citation: FireEye APT39 Jan 2019) |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
APT39 has created scheduled tasks for persistence.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)(Citation: FBI FLASH APT39 September 2020) |
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
APT39 has installed ANTAK and ASPXSPY web shells.(Citation: FireEye APT39 Jan 2019) |
Enterprise | T1553 | .006 | Subvert Trust Controls: Code Signing Policy Modification |
APT39 has used malware to turn off the |
Enterprise | T1569 | .002 | System Services: Service Execution |
APT39 has used post-exploitation tools including RemCom and the Non-sucking Service Manager (NSSM) to execute processes.(Citation: BitDefender Chafer May 2020)(Citation: Symantec Chafer February 2018) |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious link.(Citation: FireEye APT39 Jan 2019)(Citation: FBI FLASH APT39 September 2020) |
.002 | User Execution: Malicious File |
APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious attachment.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020) |
||
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
APT39 has communicated with C2 through files uploaded to and downloaded from DropBox.(Citation: BitDefender Chafer May 2020) |
References
- Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
- Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
- FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
- Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
- Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.
- Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
- Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
- McMillen, D. Sperry, C. (2019, June 14). Observations of ITG07 Cyber Operations. Retrieved May 17, 2021.
- Higgins, K. (2019, January 30). Iran Ups its Traditional Cyber Espionage Tradecraft. Retrieved May 22, 2020.
- Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
- Dept. of Treasury. (2020, September 17). Treasury Sanctions Cyber Actors Backed by Iranian Intelligence. Retrieved December 10, 2020.
- DOJ. (2020, September 17). Department of Justice and Partner Departments and Agencies Conduct Coordinated Actions to Disrupt and Deter Iranian Malicious Cyber Activities Targeting the United States and the Broader International Community. Retrieved December 10, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.