Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Groups
  3. APT39

APT39

APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014.APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.[1][2][3][4][5]

ID: G0087
Associated Groups: ITG07, Chafer, Remix Kitten
Version: 3.2
Created: 19 February 2019
Last Modified: 11 April 2024

Associated Group Descriptions

NameDescription
ITG07

[3][4][5]

Chafer

Activities associated with APT39 largely align with a group publicly referred to as Chafer.[1][2][6][3][4][5]

Remix Kitten

[7]

Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1071.001Application Layer Protocol:Web Protocols

APT39 has used HTTP in communications with C2.[8][3]

.004Application Layer Protocol:DNS

APT39 has used remote access tools that leverage DNS in communications with C2.[8]

EnterpriseT1560.001Archive Collected Data:Archive via Utility

APT39 has used WinRAR and 7-Zip to compress an archive stolen data.[1]

EnterpriseT1197BITS Jobs

APT39 has used the BITS protocol to exfiltrate stolen data from a compromised host.[3]

EnterpriseT1547.001Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder

APT39 has maintained persistence using the startup folder.[1]

.009Boot or Logon Autostart Execution:Shortcut Modification

APT39 has modified LNK shortcuts.[1]

EnterpriseT1110Brute Force

APT39 has used Ncrack to reveal credentials.[1]

EnterpriseT1115Clipboard Data

APT39 has used tools capable of stealing contents of the clipboard.[9]

EnterpriseT1059Command and Scripting Interpreter

APT39 has utilized custom scripts to perform internal reconnaissance.[1][3]

.001PowerShell

APT39 has used PowerShell to execute malicious code.[8][9]

.005Visual Basic

APT39 has utilized malicious VBS scripts in malware.[3]

.006Python

APT39 has used a command line utility and a network scanner written in python.[8][3]

.010AutoHotKey & AutoIT

APT39 has utilized AutoIt malware scripts embedded in Microsoft Office documents or malicious links.[3]

EnterpriseT1136.001Create Account:Local Account

APT39 has created accounts on multiple compromised hosts to perform actions within the network.[8]

EnterpriseT1555Credentials from Password Stores

APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords.[8]

EnterpriseT1005Data from Local System

APT39 has used various tools to steal files from the compromised host.[9][3]

EnterpriseT1074.001Data Staged:Local Data Staging

APT39 has utilized tools to aggregate data prior to exfiltration.[3]

EnterpriseT1140Deobfuscate/Decode Files or Information

APT39 has used malware to decrypt encrypted CAB files.[3]

EnterpriseT1546.010Event Triggered Execution:AppInit DLLs

APT39 has used malware to setLoadAppInit_DLLs in the Registry keySOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows in order to establish persistence.[3]

EnterpriseT1041Exfiltration Over C2 Channel

APT39 has exfiltrated stolen victim data through C2 communications.[3]

EnterpriseT1190Exploit Public-Facing Application

APT39 has used SQL injection for initial compromise.[9]

EnterpriseT1083File and Directory Discovery

APT39 has used tools with the ability to search for files on a compromised host.[3]

EnterpriseT1070.004Indicator Removal:File Deletion

APT39 has used malware to delete files after they are deployed on a compromised host.[3]

EnterpriseT1105Ingress Tool Transfer

APT39 has downloaded tools to compromised hosts.[9][3]

EnterpriseT1056Input Capture

APT39 has utilized tools to capture mouse movements.[3]

.001Keylogging

APT39 has used tools for capturing keystrokes.[9][3]

EnterpriseT1036.005Masquerading:Match Legitimate Resource Name or Location

APT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe.[8][3]

EnterpriseT1046Network Service Discovery

APT39 has usedCrackMapExec and a custom port scanner known as BLUETORCH for network scanning.[1][8]

EnterpriseT1135Network Share Discovery

APT39 has used the post exploitation toolCrackMapExec to enumerate network shares.[8]

EnterpriseT1027.002Obfuscated Files or Information:Software Packing

APT39 has packed tools with UPX, and has repacked a modified version ofMimikatz to thwart anti-virus detection.[1][8]

.013Obfuscated Files or Information:Encrypted/Encoded File

APT39 has used malware to drop encrypted CAB files.[3]

EnterpriseT1588.002Obtain Capabilities:Tool

APT39 has modified and used customized versions of publicly-available tools like PLINK andMimikatz.[8][10]

EnterpriseT1003OS Credential Dumping

APT39 has used different versions of Mimikatz to obtain credentials.[8]

.001LSASS Memory

APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials.[1]

EnterpriseT1566.001Phishing:Spearphishing Attachment

APT39 leveraged spearphishing emails with malicious attachments to initially compromise victims.[1][9][3]

.002Phishing:Spearphishing Link

APT39 leveraged spearphishing emails with malicious links to initially compromise victims.[1][3]

EnterpriseT1090.001Proxy:Internal Proxy

APT39 used custom tools to create SOCK5 and custom protocol proxies between infected hosts.[1][8]

.002Proxy:External Proxy

APT39 has used various tools to proxy C2 communications.[8]

EnterpriseT1012Query Registry

APT39 has used various strains of malware to query the Registry.[3]

EnterpriseT1021.001Remote Services:Remote Desktop Protocol

APT39 has been seen using RDP for lateral movement and persistence, in some cases employing the rdpwinst tool for mangement of multiple sessions.[1][8]

.002Remote Services:SMB/Windows Admin Shares

APT39 has used SMB for lateral movement.[9]

.004Remote Services:SSH

APT39 used secure shell (SSH) to move laterally among their targets.[1]

EnterpriseT1018Remote System Discovery

APT39 has usedNBTscan and custom tools to discover remote systems.[1][8][9]

EnterpriseT1053.005Scheduled Task/Job:Scheduled Task

APT39 has created scheduled tasks for persistence.[1][8][3]

EnterpriseT1113Screen Capture

APT39 has used a screen capture utility to take screenshots on a compromised host.[9][3]

EnterpriseT1505.003Server Software Component:Web Shell

APT39 has installed ANTAK and ASPXSPY web shells.[1]

EnterpriseT1553.006Subvert Trust Controls:Code Signing Policy Modification

APT39 has used malware to turn off theRequireSigned feature which ensures only signed DLLs can be run on Windows.[3]

EnterpriseT1033System Owner/User Discovery

APT39 usedRemexi to collect usernames from the system.[2]

EnterpriseT1569.002System Services:Service Execution

APT39 has used post-exploitation tools including RemCom and the Non-sucking Service Manager (NSSM) to execute processes.[8][9]

EnterpriseT1204.001User Execution:Malicious Link

APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious link.[1][3]

.002User Execution:Malicious File

APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious attachment.[1][8][9][3]

EnterpriseT1078Valid Accounts

APT39 has used stolen credentials to compromise Outlook Web Access (OWA).[1]

EnterpriseT1102.002Web Service:Bidirectional Communication

APT39 has communicated with C2 through files uploaded to and downloaded from DropBox.[8]

Software

IDNameReferencesTechniques
S0073ASPXSpy[1]Server Software Component:Web Shell
S0454Cadelspy[2]Application Window Discovery,Archive Collected Data,Audio Capture,Clipboard Data,Input Capture:Keylogging,Peripheral Device Discovery,Screen Capture,System Information Discovery
S0488CrackMapExec[1][8]Account Discovery:Domain Account,Brute Force:Password Spraying,Brute Force:Password Guessing,Brute Force,Command and Scripting Interpreter:PowerShell,File and Directory Discovery,Local Storage Discovery,Modify Registry,Network Share Discovery,OS Credential Dumping:Security Account Manager,OS Credential Dumping:NTDS,OS Credential Dumping:LSA Secrets,Password Policy Discovery,Permission Groups Discovery:Domain Groups,Remote System Discovery,Scheduled Task/Job:At,System Network Configuration Discovery,System Network Connections Discovery,Use Alternate Authentication Material:Pass the Hash,Windows Management Instrumentation
S0095ftp[3]Exfiltration Over Alternative Protocol:Exfiltration Over Unencrypted Non-C2 Protocol,Ingress Tool Transfer,Lateral Tool Transfer
S0459MechaFlounder[11]Application Layer Protocol:Web Protocols,Command and Scripting Interpreter:Windows Command Shell,Command and Scripting Interpreter:Python,Data Encoding:Standard Encoding,Exfiltration Over C2 Channel,Ingress Tool Transfer,Masquerading:Match Legitimate Resource Name or Location,System Owner/User Discovery
S0002Mimikatz[1][8][6][9]Access Token Manipulation:SID-History Injection,Account Manipulation,Boot or Logon Autostart Execution:Security Support Provider,Credentials from Password Stores,Credentials from Password Stores:Credentials from Web Browsers,Credentials from Password Stores:Windows Credential Manager,OS Credential Dumping:DCSync,OS Credential Dumping:Security Account Manager,OS Credential Dumping:LSASS Memory,OS Credential Dumping:LSA Secrets,Rogue Domain Controller,Steal or Forge Authentication Certificates,Steal or Forge Kerberos Tickets:Golden Ticket,Steal or Forge Kerberos Tickets:Silver Ticket,Unsecured Credentials:Private Keys,Use Alternate Authentication Material:Pass the Hash,Use Alternate Authentication Material:Pass the Ticket
S0590NBTscan[1]Network Service Discovery,Network Sniffing,Remote System Discovery,System Network Configuration Discovery,System Owner/User Discovery
S0029PsExec[1][8][9]Create Account:Domain Account,Create or Modify System Process:Windows Service,Lateral Tool Transfer,Remote Services:SMB/Windows Admin Shares,System Services:Service Execution
S0006pwdump[9]OS Credential Dumping:Security Account Manager
S0375Remexi[2][12][9]Application Layer Protocol:Web Protocols,Application Window Discovery,Archive Collected Data,Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder,Boot or Logon Autostart Execution:Winlogon Helper DLL,Clipboard Data,Command and Scripting Interpreter:Windows Command Shell,Command and Scripting Interpreter:Visual Basic,Deobfuscate/Decode Files or Information,Exfiltration Over C2 Channel,File and Directory Discovery,Input Capture:Keylogging,Obfuscated Files or Information:Encrypted/Encoded File,Scheduled Task/Job:Scheduled Task,Screen Capture,Windows Management Instrumentation
S0005Windows Credential Editor[1][6]OS Credential Dumping:LSASS Memory

References

  1. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  2. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
  3. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  4. Dept. of Treasury. (2020, September 17). Treasury Sanctions Cyber Actors Backed by Iranian Intelligence. Retrieved December 10, 2020.
  5. DOJ. (2020, September 17). Department of Justice and Partner Departments and Agencies Conduct Coordinated Actions to Disrupt and Deter Iranian Malicious Cyber Activities Targeting the United States and the Broader International Community. Retrieved December 10, 2020.
  6. Higgins, K. (2019, January 30). Iran Ups its Traditional Cyber Espionage Tradecraft. Retrieved May 22, 2020.
×
[8]ページ先頭
©2009-2026 Movatter.jp