Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

APT42

APT42 is an Iranian-sponsored threat group that conducts cyber espionage and surveillance.(Citation: Mandiant APT42-charms) The group primarily focuses on targets in the Middle East region, but has targeted a variety of industries and countries since at least 2015.(Citation: Mandiant APT42-charms) APT42 starts cyber operations through spearphishing emails and/or the PINEFLOWER Android malware, then monitors and collects information from the compromised systems and devices.(Citation: Mandiant APT42-charms) Finally, APT42 exfiltrates data using native features and open-source tools.(Citation: Mandiant APT42-untangling) APT42 activities have been linked to Magic Hound by other commercial vendors. While there are behavior and software overlaps between Magic Hound and APT42, they appear to be distinct entities and are tracked as separate entities by their originating vendor.

ID: G1044

Associated Groups:

Version: 1.0

Created: 08 Jan 2025

Last Modified: 08 Mar 2025

Name	Description
Associated Group Descriptions

Domain	ID		Name	Use
Techniques Used
Enterprise	T1087	.001	Account Discovery: Local Account	APT42 has used the PowerShell-based POWERPOST script to collect local account names from the victim machine.(Citation: Mandiant APT42-charms)
Enterprise	T1583	.001	Acquire Infrastructure: Domains	APT42 has registered domains, several of which masqueraded as news outlets and login services, for use in operations.(Citation: Mandiant APT42-charms)(Citation: TAG APT42)
		.003	Acquire Infrastructure: Virtual Private Server	APT42 has used anonymized infrastructure and Virtual Private Servers (VPSs) to interact with the victim’s environment.(Citation: Mandiant APT42-charms)(Citation: Mandiant APT42-untangling)
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	APT42 has used tools such as NICECURL with command and control communication taking place over HTTPS.(Citation: Mandiant APT42-untangling)
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	APT42 has downloaded and executed PowerShell payloads.(Citation: Mandiant APT42-charms)
		.005	Command and Scripting Interpreter: Visual Basic	APT42 has used a VBScript to query anti-virus products.(Citation: Mandiant APT42-untangling)
Enterprise	T1555	.003	Credentials from Password Stores: Credentials from Web Browsers	APT42 has used custom malware to steal credentials.(Citation: Mandiant APT42-charms)
Enterprise	T1132	.001	Data Encoding: Standard Encoding	APT42 has encoded C2 traffic with Base64.(Citation: Mandiant APT42-untangling)
Enterprise	T1573	.002	Encrypted Channel: Asymmetric Cryptography	APT42 has used tools such as NICECURL with command and control communication taking place over HTTPS.(Citation: Mandiant APT42-untangling)
Enterprise	T1585	.002	Establish Accounts: Email Accounts	APT42 has created email accounts to use in spearphishing operations.(Citation: TAG APT42)
Enterprise	T1070	.008	Indicator Removal: Clear Mailbox Data	APT42 has deleted login notification emails and has cleared the Sent folder to cover their tracks.(Citation: Mandiant APT42-charms)
Enterprise	T1056	.001	Input Capture: Keylogging	APT42 has used custom malware to log keystrokes.(Citation: Mandiant APT42-charms)
Enterprise	T1036	.005	Masquerading: Match Legitimate Resource Name or Location	APT42 has masqueraded the VINETHORN payload as a VPN application.(Citation: Mandiant APT42-charms)
Enterprise	T1588	.002	Obtain Capabilities: Tool	APT42 has used built-in features in the Microsoft 365 environment and publicly available tools to avoid detection.(Citation: Mandiant APT42-untangling)
Enterprise	T1566	.002	Phishing: Spearphishing Link	APT42 has sent spearphishing emails containing malicious links.(Citation: Mandiant APT42-charms)(Citation: Mandiant APT42-untangling)(Citation: TAG APT42)
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	APT42 has used scheduled tasks for persistence.(Citation: Mandiant APT42-charms)
Enterprise	T1518	.001	Software Discovery: Security Software Discovery	APT42 has used Windows Management Instrumentation (WMI) to check for anti-virus products.(Citation: Mandiant APT42-untangling)
Enterprise	T1608	.001	Stage Capabilities: Upload Malware	APT42 has used its infrastructure for C2 and for staging the VINETHORN payload, which masqueraded as a VPN application.(Citation: Mandiant APT42-charms)

ID	Name	References	Techniques
Software
S1192	NICECURL	(Citation: Mandiant APT42-untangling)	File Deletion, Command and Scripting Interpreter, Asymmetric Cryptography, Ingress Tool Transfer, Web Protocols
S1193	TAMECAT	(Citation: Mandiant APT42-untangling)	Windows Command Shell, Ingress Tool Transfer, Visual Basic, Standard Encoding, Windows Management Instrumentation, Symmetric Cryptography, Security Software Discovery, PowerShell, Web Protocols

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

APT42

Associated Group Descriptions

Techniques Used

Software

References