Skip to content

G0087 APT39

APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.57423

Item Value
ID G0087
Associated Names ITG07, Chafer, Remix Kitten
Version 3.1
Created 19 February 2019
Last Modified 02 September 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
ITG07 423
Chafer Activities associated with APT39 largely align with a group publicly referred to as Chafer.576423
Remix Kitten 1

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols APT39 has used HTTP in communications with C2.84
enterprise T1071.004 DNS APT39 has used remote access tools that leverage DNS in communications with C2.8
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility APT39 has used WinRAR and 7-Zip to compress an archive stolen data.5
enterprise T1197 BITS Jobs APT39 has used the BITS protocol to exfiltrate stolen data from a compromised host.4
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder APT39 has maintained persistence using the startup folder.5
enterprise T1547.009 Shortcut Modification APT39 has modified LNK shortcuts.5
enterprise T1110 Brute Force APT39 has used Ncrack to reveal credentials.5
enterprise T1115 Clipboard Data APT39 has used tools capable of stealing contents of the clipboard.9
enterprise T1059 Command and Scripting Interpreter APT39 has utilized AutoIt and custom scripts to perform internal reconnaissance.54
enterprise T1059.001 PowerShell APT39 has used PowerShell to execute malicious code.89
enterprise T1059.005 Visual Basic APT39 has utilized malicious VBS scripts in malware.4
enterprise T1059.006 Python APT39 has used a command line utility and a network scanner written in python.84
enterprise T1136 Create Account -
enterprise T1136.001 Local Account APT39 has created accounts on multiple compromised hosts to perform actions within the network.8
enterprise T1555 Credentials from Password Stores APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords.8
enterprise T1005 Data from Local System APT39 has used various tools to steal files from the compromised host.94
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging APT39 has utilized tools to aggregate data prior to exfiltration.4
enterprise T1140 Deobfuscate/Decode Files or Information APT39 has used malware to decrypt encrypted CAB files.4
enterprise T1546 Event Triggered Execution -
enterprise T1546.010 AppInit DLLs APT39 has used malware to set LoadAppInit_DLLs in the Registry key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows in order to establish persistence.4
enterprise T1041 Exfiltration Over C2 Channel APT39 has exfiltrated stolen victim data through C2 communications.4
enterprise T1190 Exploit Public-Facing Application APT39 has used SQL injection for initial compromise.9
enterprise T1083 File and Directory Discovery APT39 has used tools with the ability to search for files on a compromised host.4
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion APT39 has used malware to delete files after they are deployed on a compromised host.4
enterprise T1105 Ingress Tool Transfer APT39 has downloaded tools to compromised hosts.94
enterprise T1056 Input Capture APT39 has utilized tools to capture mouse movements.4
enterprise T1056.001 Keylogging APT39 has used tools for capturing keystrokes.94
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location APT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe.84
enterprise T1046 Network Service Discovery APT39 has used CrackMapExec and a custom port scanner known as BLUETORCH for network scanning.58
enterprise T1135 Network Share Discovery APT39 has used the post exploitation tool CrackMapExec to enumerate network shares.8
enterprise T1027 Obfuscated Files or Information APT39 has used malware to drop encrypted CAB files.4
enterprise T1027.002 Software Packing APT39 has packed tools with UPX, and has repacked a modified version of Mimikatz to thwart anti-virus detection.58
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool APT39 has modified and used customized versions of publicly-available tools like PLINK and Mimikatz.810
enterprise T1003 OS Credential Dumping APT39 has used different versions of Mimikatz to obtain credentials.8
enterprise T1003.001 LSASS Memory APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials.5
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment APT39 leveraged spearphishing emails with malicious attachments to initially compromise victims.594
enterprise T1566.002 Spearphishing Link APT39 leveraged spearphishing emails with malicious links to initially compromise victims.54
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy APT39 used custom tools to create SOCK5 and custom protocol proxies between infected hosts.58
enterprise T1090.002 External Proxy APT39 has used various tools to proxy C2 communications.8
enterprise T1012 Query Registry APT39 has used various strains of malware to query the Registry.4
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol APT39 has been seen using RDP for lateral movement and persistence, in some cases employing the rdpwinst tool for mangement of multiple sessions.58
enterprise T1021.002 SMB/Windows Admin Shares APT39 has used SMB for lateral movement.9
enterprise T1021.004 SSH APT39 used secure shell (SSH) to move laterally among their targets.5
enterprise T1018 Remote System Discovery APT39 has used NBTscan and custom tools to discover remote systems.589
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task APT39 has created scheduled tasks for persistence.584
enterprise T1113 Screen Capture APT39 has used a screen capture utility to take screenshots on a compromised host.94
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell APT39 has installed ANTAK and ASPXSPY web shells.5
enterprise T1553 Subvert Trust Controls -
enterprise T1553.006 Code Signing Policy Modification APT39 has used malware to turn off the RequireSigned feature which ensures only signed DLLs can be run on Windows.4
enterprise T1033 System Owner/User Discovery APT39 used Remexi to collect usernames from the system.7
enterprise T1569 System Services -
enterprise T1569.002 Service Execution APT39 has used post-exploitation tools including RemCom and the Non-sucking Service Manager (NSSM) to execute processes.89
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious link.54
enterprise T1204.002 Malicious File APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious attachment.5894
enterprise T1078 Valid Accounts APT39 has used stolen credentials to compromise Outlook Web Access (OWA).5
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication APT39 has communicated with C2 through files uploaded to and downloaded from DropBox.8

Software

ID Name References Techniques
S0073 ASPXSpy 5 Web Shell:Server Software Component
S0454 Cadelspy 7 Application Window Discovery Archive Collected Data Audio Capture Clipboard Data Keylogging:Input Capture Peripheral Device Discovery Screen Capture System Information Discovery
S0488 CrackMapExec 58 Domain Account:Account Discovery Brute Force Password Guessing:Brute Force Password Spraying:Brute Force PowerShell:Command and Scripting Interpreter File and Directory Discovery Modify Registry Network Share Discovery LSA Secrets:OS Credential Dumping NTDS:OS Credential Dumping Security Account Manager:OS Credential Dumping Password Policy Discovery Domain Groups:Permission Groups Discovery Remote System Discovery At:Scheduled Task/Job System Information Discovery System Network Configuration Discovery System Network Connections Discovery Pass the Hash:Use Alternate Authentication Material Windows Management Instrumentation
S0095 ftp 4 Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Lateral Tool Transfer
S0459 MechaFlounder 12 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Python:Command and Scripting Interpreter Standard Encoding:Data Encoding Exfiltration Over C2 Channel Ingress Tool Transfer Match Legitimate Name or Location:Masquerading System Owner/User Discovery
S0002 Mimikatz 5869 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0590 NBTscan 5 Network Service Discovery Network Sniffing Remote System Discovery System Network Configuration Discovery System Owner/User Discovery
S0029 PsExec 589 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0006 pwdump 9 Security Account Manager:OS Credential Dumping
S0375 Remexi 7119 Web Protocols:Application Layer Protocol Application Window Discovery Archive Collected Data Winlogon Helper DLL:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data Windows Command Shell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Exfiltration Over C2 Channel File and Directory Discovery Keylogging:Input Capture Obfuscated Files or Information Scheduled Task:Scheduled Task/Job Screen Capture Windows Management Instrumentation
S0005 Windows Credential Editor 56 LSASS Memory:OS Credential Dumping

References

  1. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. 

  2. Dept. of Treasury. (2020, September 17). Treasury Sanctions Cyber Actors Backed by Iranian Intelligence. Retrieved December 10, 2020. 

  3. DOJ. (2020, September 17). Department of Justice and Partner Departments and Agencies Conduct Coordinated Actions to Disrupt and Deter Iranian Malicious Cyber Activities Targeting the United States and the Broader International Community. Retrieved December 10, 2020. 

  4. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. 

  5. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. 

  6. Higgins, K. (2019, January 30). Iran Ups its Traditional Cyber Espionage Tradecraft. Retrieved May 22, 2020. 

  7. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019. 

  8. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020. 

  9. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020. 

  10. McMillen, D. Sperry, C. (2019, June 14). Observations of ITG07 Cyber Operations. Retrieved May 17, 2021. 

  11. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. 

  12. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.