APT42 Hackers Posing As Event Organizers To Hijack Victim Network

APT42, a group linked to the Iranian government, is using social engineering tactics such as impersonating journalists and event organizers to trick NGOs, media, academia, legal firms, and activists into providing credentials to access their cloud environments.

They exfiltrate data of strategic interest while using built-in tools to evade detection.

APT42 also delivers custom NICECURL and TAMECAT backdoors via spear-phishing for initial access, which aligns with its mission to monitor foreign threats and domestic unrest.

APT42’s extensive credential harvesting operations involve tailored spear-phishing campaigns with elaborate social engineering, typically following a three-step process.

Three steps (Source – Mandiant)

APT42 Hackers As Event Organizers

APT42 used three infrastructure clusters to steal credentials from government organizations, media outlets, NGOs, and activist groups.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Each cluster used spear-phishing emails to harvest credentials, but the domains, impersonation themes, decoy documents, and other operational details changed slightly with each one.

APT42 continued their campaigns to steal credentials by taking data from legal and NGO-compromised cloud infrastructures of US and UK targets, which they sent back to Iran in 2022-23.

They secretly broke into Microsoft 365 environments through social engineering and skipping multi-factor authentication, using features already in the system as well as open-source tools so that nobody noticed what was going on. 

APT42 cloud operations flow of attack (Source – Mandiant)

Though researchers only know about people affected in America or Britain so far, this may indicate that more countries have been attacked, too, because APT42 gathers worldwide credentials.

Mandiant documented APT42 deploying custom NICECURL and TAMECAT backdoors delivered via spear-phishing with decoy content from spoofed organizations. 

NICECURL, a VBScript backdoor, allows downloading additional modules, command execution and connects over HTTPS. 

Samples impersonated Harvard’s public health school using the name Daniel Serwer (Middle East scholar) and the US think tank’s “Empowering Women for Peace” report to likely target NGOs, governments, and groups involved with Iran and Middle East matters consistent with APT42’s profile. 

The backdoors enable initial access as potential malware deployment platforms.

While APT42’s methods for staying undetected challenge detection, TTPs that are shared, IOCs, and rules do this to help support mitigation.

According to the researchers, “It is a low footprint and low detection infrastructure.” However, several indicators, such as their use of certain tools or code names, pointed towards Mandiant eventually finding them out. 

They have also been known to utilize shared code repositories, which gave them away on more than one occasion.

Also, despite all these factors, credential abuse remains one of the most common ways hackers exploit to gain initial cloud access.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…

1 day ago

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…

1 day ago

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…

1 day ago

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…

1 day ago

Araneida Scanner – Hackers Using Cracked Version Of Acunetix Vulnerability Scanner

Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…

3 days ago

A Dark Web Operation Acquiring KYC Details TO Bypass Identity Verification Systems

A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…

3 days ago