APT42, a group linked to the Iranian government, is using social engineering tactics such as impersonating journalists and event organizers to trick NGOs, media, academia, legal firms, and activists into providing credentials to access their cloud environments.

They exfiltrate data of strategic interest while using built-in tools to evade detection.

APT42 also delivers custom NICECURL and TAMECAT backdoors via spear-phishing for initial access, which aligns with its mission to monitor foreign threats and domestic unrest.

APT42’s extensive credential harvesting operations involve tailored spear-phishing campaigns with elaborate social engineering, typically following a three-step process.

APT42 Hackers As Event Organizers

APT42 used three infrastructure clusters to steal credentials from government organizations, media outlets, NGOs, and activist groups.

Each cluster used spear-phishing emails to harvest credentials, but the domains, impersonation themes, decoy documents, and other operational details changed slightly with each one.

APT42 continued their campaigns to steal credentials by taking data from legal and NGO-compromised cloud infrastructures of US and UK targets, which they sent back to Iran in 2022-23.

They secretly broke into Microsoft 365 environments through social engineering and skipping multi-factor authentication, using features already in the system as well as open-source tools so that nobody noticed what was going on. 

Though researchers only know about people affected in America or Britain so far, this may indicate that more countries have been attacked, too, because APT42 gathers worldwide credentials.

Mandiant documented APT42 deploying custom NICECURL and TAMECAT backdoors delivered via spear-phishing with decoy content from spoofed organizations. 

NICECURL, a VBScript backdoor, allows downloading additional modules, command execution and connects over HTTPS. 

Samples impersonated Harvard’s public health school using the name Daniel Serwer (Middle East scholar) and the US think tank’s “Empowering Women for Peace” report to likely target NGOs, governments, and groups involved with Iran and Middle East matters consistent with APT42’s profile. 

The backdoors enable initial access as potential malware deployment platforms.

While APT42’s methods for staying undetected challenge detection, TTPs that are shared, IOCs, and rules do this to help support mitigation.

According to the researchers, “It is a low footprint and low detection infrastructure.” However, several indicators, such as their use of certain tools or code names, pointed towards Mandiant eventually finding them out. 

They have also been known to utilize shared code repositories, which gave them away on more than one occasion.

Also, despite all these factors, credential abuse remains one of the most common ways hackers exploit to gain initial cloud access.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide