Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа APT39
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
APT39
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

APT39

APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020)
ID: G0087
Associated Groups: Remix Kitten, ITG07, Chafer
Version: 3.1
Created: 19 Feb 2019
Last Modified: 02 Sep 2022

Associated Group Descriptions
Name Description
Remix Kitten (Citation: Crowdstrike GTR2020 Mar 2020)
ITG07 (Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020)
Chafer Activities associated with APT39 largely align with a group publicly referred to as Chafer.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: Dark Reading APT39 JAN 2019)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020)

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

APT39 has used HTTP in communications with C2.(Citation: BitDefender Chafer May 2020)(Citation: FBI FLASH APT39 September 2020)
.004 Application Layer Protocol: DNS

APT39 has used remote access tools that leverage DNS in communications with C2.(Citation: BitDefender Chafer May 2020)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

APT39 has used WinRAR and 7-Zip to compress an archive stolen data.(Citation: FireEye APT39 Jan 2019)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

APT39 has maintained persistence using the startup folder.(Citation: FireEye APT39 Jan 2019)
.009 Boot or Logon Autostart Execution: Shortcut Modification

APT39 has modified LNK shortcuts.(Citation: FireEye APT39 Jan 2019)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

APT39 has used PowerShell to execute malicious code.(Citation: BitDefender Chafer May 2020)(Citation: Symantec Chafer February 2018)
.005 Command and Scripting Interpreter: Visual Basic

APT39 has utilized malicious VBS scripts in malware.(Citation: FBI FLASH APT39 September 2020)

.006 Command and Scripting Interpreter: Python

APT39 has used a command line utility and a network scanner written in python.(Citation: BitDefender Chafer May 2020)(Citation: FBI FLASH APT39 September 2020)

Enterprise T1136 .001 Create Account: Local Account

APT39 has created accounts on multiple compromised hosts to perform actions within the network.(Citation: BitDefender Chafer May 2020)
Enterprise T1074 .001 Data Staged: Local Data Staging

APT39 has utilized tools to aggregate data prior to exfiltration.(Citation: FBI FLASH APT39 September 2020)
Enterprise T1546 .010 Event Triggered Execution: AppInit DLLs

APT39 has used malware to set LoadAppInit_DLLs in the Registry key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows in order to establish persistence.(Citation: FBI FLASH APT39 September 2020)
Enterprise T1070 .004 Indicator Removal: File Deletion

APT39 has used malware to delete files after they are deployed on a compromised host.(Citation: FBI FLASH APT39 September 2020)
Enterprise T1056 .001 Input Capture: Keylogging

APT39 has used tools for capturing keystrokes.(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020)
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

APT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe.(Citation: BitDefender Chafer May 2020)(Citation: FBI FLASH APT39 September 2020)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials.(Citation: FireEye APT39 Jan 2019)
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

APT39 has packed tools with UPX, and has repacked a modified version of Mimikatz to thwart anti-virus detection.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)
Enterprise T1588 .002 Obtain Capabilities: Tool

APT39 has modified and used customized versions of publicly-available tools like PLINK and Mimikatz.(Citation: BitDefender Chafer May 2020)(Citation: IBM ITG07 June 2019)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT39 leveraged spearphishing emails with malicious attachments to initially compromise victims.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020)
.002 Phishing: Spearphishing Link

APT39 leveraged spearphishing emails with malicious links to initially compromise victims.(Citation: FireEye APT39 Jan 2019)(Citation: FBI FLASH APT39 September 2020)

Enterprise T1090 .001 Proxy: Internal Proxy

APT39 used custom tools to create SOCK5 and custom protocol proxies between infected hosts.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)
.002 Proxy: External Proxy

APT39 has used various tools to proxy C2 communications.(Citation: BitDefender Chafer May 2020)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

APT39 has been seen using RDP for lateral movement and persistence, in some cases employing the rdpwinst tool for mangement of multiple sessions.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)
.002 Remote Services: SMB/Windows Admin Shares

APT39 has used SMB for lateral movement.(Citation: Symantec Chafer February 2018)

.004 Remote Services: SSH

APT39 used secure shell (SSH) to move laterally among their targets.(Citation: FireEye APT39 Jan 2019)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

APT39 has created scheduled tasks for persistence.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)(Citation: FBI FLASH APT39 September 2020)
Enterprise T1505 .003 Server Software Component: Web Shell

APT39 has installed ANTAK and ASPXSPY web shells.(Citation: FireEye APT39 Jan 2019)
Enterprise T1553 .006 Subvert Trust Controls: Code Signing Policy Modification

APT39 has used malware to turn off the RequireSigned feature which ensures only signed DLLs can be run on Windows.(Citation: FBI FLASH APT39 September 2020)
Enterprise T1569 .002 System Services: Service Execution

APT39 has used post-exploitation tools including RemCom and the Non-sucking Service Manager (NSSM) to execute processes.(Citation: BitDefender Chafer May 2020)(Citation: Symantec Chafer February 2018)
Enterprise T1204 .001 User Execution: Malicious Link

APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious link.(Citation: FireEye APT39 Jan 2019)(Citation: FBI FLASH APT39 September 2020)
.002 User Execution: Malicious File

APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious attachment.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020)

Enterprise T1102 .002 Web Service: Bidirectional Communication

APT39 has communicated with C2 through files uploaded to and downloaded from DropBox.(Citation: BitDefender Chafer May 2020)

Software
ID Name References Techniques
S0005 Windows Credential Editor (Citation: Amplia WCE) (Citation: Dark Reading APT39 JAN 2019) (Citation: FireEye APT39 Jan 2019) LSASS Memory
S0073 ASPXSpy (Citation: Dell TG-3390) (Citation: FireEye APT39 Jan 2019) Web Shell
S0006 pwdump (Citation: Symantec Chafer February 2018) (Citation: Wikipedia pwdump) Security Account Manager
S0454 Cadelspy (Citation: Symantec Chafer Dec 2015) Application Window Discovery, Keylogging, Archive Collected Data, Clipboard Data, Audio Capture, System Information Discovery, Screen Capture, Peripheral Device Discovery
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: BitDefender Chafer May 2020) (Citation: Dark Reading APT39 JAN 2019) (Citation: Deply Mimikatz) (Citation: FireEye APT39 Jan 2019) (Citation: Symantec Chafer February 2018) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0590 NBTscan (Citation: Debian nbtscan Nov 2019) (Citation: FireEye APT39 Jan 2019) (Citation: SecTools nbtscan June 2003) (Citation: Symantec Waterbug Jun 2019) System Owner/User Discovery, System Network Configuration Discovery, Network Sniffing, Network Service Discovery, Remote System Discovery
S0488 CrackMapExec (Citation: BitDefender Chafer May 2020) (Citation: CME Github September 2018) (Citation: FireEye APT39 Jan 2019) Security Account Manager, NTDS, Password Spraying, Password Policy Discovery, Domain Account, System Network Connections Discovery, Password Guessing, At, Network Share Discovery, Remote System Discovery, LSA Secrets, Windows Management Instrumentation, Modify Registry, File and Directory Discovery, Pass the Hash, System Information Discovery, Domain Groups, PowerShell, System Network Configuration Discovery, Brute Force
S0095 ftp (Citation: FBI FLASH APT39 September 2020) (Citation: Linux FTP) (Citation: Microsoft FTP) Commonly Used Port, Lateral Tool Transfer, Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer
S0459 MechaFlounder (Citation: Unit 42 MechaFlounder March 2019) Exfiltration Over C2 Channel, Match Legitimate Name or Location, System Owner/User Discovery, Standard Encoding, Web Protocols, Windows Command Shell, Python, Ingress Tool Transfer
S0375 Remexi (Citation: Securelist Remexi Jan 2019) (Citation: Symantec Chafer Dec 2015) (Citation: Symantec Chafer February 2018) Scheduled Task, Windows Command Shell, Keylogging, Exfiltration Over C2 Channel, Obfuscated Files or Information, Clipboard Data, Registry Run Keys / Startup Folder, Web Protocols, Windows Management Instrumentation, Deobfuscate/Decode Files or Information, Winlogon Helper DLL, Application Window Discovery, Archive Collected Data, Visual Basic, Screen Capture, File and Directory Discovery
S0029 PsExec (Citation: BitDefender Chafer May 2020) (Citation: FireEye APT39 Jan 2019) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) (Citation: Symantec Chafer February 2018) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  2. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  3. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
  4. Higgins, K. (2019, January 30). Iran Ups its Traditional Cyber Espionage Tradecraft. Retrieved May 22, 2020.
  5. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
  6. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
  7. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  8. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.
  9. McMillen, D. Sperry, C. (2019, June 14). Observations of ITG07 Cyber Operations. Retrieved May 17, 2021.
  10. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  11. Dept. of Treasury. (2020, September 17). Treasury Sanctions Cyber Actors Backed by Iranian Intelligence. Retrieved December 10, 2020.
  12. DOJ. (2020, September 17). Department of Justice and Partner Departments and Agencies Conduct Coordinated Actions to Disrupt and Deter Iranian Malicious Cyber Activities Targeting the United States and the Broader International Community. Retrieved December 10, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.