Friday, December 6, 2024
Homecyber securityAPT42 Hackers Posing As Event Organizers To Hijack Victim Network

APT42 Hackers Posing As Event Organizers To Hijack Victim Network

Published on

SIEM as a Service

APT42, a group linked to the Iranian government, is using social engineering tactics such as impersonating journalists and event organizers to trick NGOs, media, academia, legal firms, and activists into providing credentials to access their cloud environments.

They exfiltrate data of strategic interest while using built-in tools to evade detection.

APT42 also delivers custom NICECURL and TAMECAT backdoors via spear-phishing for initial access, which aligns with its mission to monitor foreign threats and domestic unrest.

- Advertisement - SIEM as a Service

APT42’s extensive credential harvesting operations involve tailored spear-phishing campaigns with elaborate social engineering, typically following a three-step process.

Three steps (Source – Mandiant)

APT42 Hackers As Event Organizers

APT42 used three infrastructure clusters to steal credentials from government organizations, media outlets, NGOs, and activist groups.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Each cluster used spear-phishing emails to harvest credentials, but the domains, impersonation themes, decoy documents, and other operational details changed slightly with each one.

APT42 continued their campaigns to steal credentials by taking data from legal and NGO-compromised cloud infrastructures of US and UK targets, which they sent back to Iran in 2022-23.

They secretly broke into Microsoft 365 environments through social engineering and skipping multi-factor authentication, using features already in the system as well as open-source tools so that nobody noticed what was going on. 

APT42 cloud operations flow of attack (Source – Mandiant)

Though researchers only know about people affected in America or Britain so far, this may indicate that more countries have been attacked, too, because APT42 gathers worldwide credentials.

Mandiant documented APT42 deploying custom NICECURL and TAMECAT backdoors delivered via spear-phishing with decoy content from spoofed organizations. 

NICECURL, a VBScript backdoor, allows downloading additional modules, command execution and connects over HTTPS. 

Samples impersonated Harvard’s public health school using the name Daniel Serwer (Middle East scholar) and the US think tank’s “Empowering Women for Peace” report to likely target NGOs, governments, and groups involved with Iran and Middle East matters consistent with APT42’s profile. 

The backdoors enable initial access as potential malware deployment platforms.

While APT42’s methods for staying undetected challenge detection, TTPs that are shared, IOCs, and rules do this to help support mitigation.

According to the researchers, “It is a low footprint and low detection infrastructure.” However, several indicators, such as their use of certain tools or code names, pointed towards Mandiant eventually finding them out. 

They have also been known to utilize shared code repositories, which gave them away on more than one occasion.

Also, despite all these factors, credential abuse remains one of the most common ways hackers exploit to gain initial cloud access.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...