G1044 APT42
APT42 is an Iranian-sponsored threat group that conducts cyber espionage and surveillance.1 The group primarily focuses on targets in the Middle East region, but has targeted a variety of industries and countries since at least 2015.1 APT42 starts cyber operations through spearphishing emails and/or the PINEFLOWER Android malware, then monitors and collects information from the compromised systems and devices.1 Finally, APT42 exfiltrates data using native features and open-source tools.2
APT42 activities have been linked to Magic Hound by other commercial vendors. While there are behavior and software overlaps between Magic Hound and APT42, they appear to be distinct entities and are tracked as separate entities by their originating vendor.
| Item | Value |
|---|---|
| ID | G1044 |
| Associated Names | |
| Version | 1.0 |
| Created | 08 January 2025 |
| Last Modified | 08 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | APT42 has used the PowerShell-based POWERPOST script to collect local account names from the victim machine.1 |
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.001 | Domains | APT42 has registered domains, several of which masqueraded as news outlets and login services, for use in operations.13 |
| enterprise | T1583.003 | Virtual Private Server | APT42 has used anonymized infrastructure and Virtual Private Servers (VPSs) to interact with the victim’s environment.12 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | APT42 has used tools such as NICECURL with command and control communication taking place over HTTPS.2 |
| enterprise | T1547 | Boot or Logon Autostart Execution | APT42 has modified the Registry to maintain persistence.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | APT42 has downloaded and executed PowerShell payloads.1 |
| enterprise | T1059.005 | Visual Basic | APT42 has used a VBScript to query anti-virus products.2 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | APT42 has used custom malware to steal credentials.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | APT42 has encoded C2 traffic with Base64.2 |
| enterprise | T1530 | Data from Cloud Storage | APT42 has collected data from Microsoft 365 environments.21 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | APT42 has used tools such as NICECURL with command and control communication taking place over HTTPS.2 |
| enterprise | T1585 | Establish Accounts | - |
| enterprise | T1585.002 | Email Accounts | APT42 has created email accounts to use in spearphishing operations.3 |
| enterprise | T1656 | Impersonation | APT42 has impersonated legitimate people in phishing emails to gain credentials.13 |
| enterprise | T1070 | Indicator Removal | APT42 has cleared Chrome browser history.2 |
| enterprise | T1070.008 | Clear Mailbox Data | APT42 has deleted login notification emails and has cleared the Sent folder to cover their tracks.1 |
| enterprise | T1056 | Input Capture | APT42 has used credential harvesting websites.2 |
| enterprise | T1056.001 | Keylogging | APT42 has used custom malware to log keystrokes.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | APT42 has masqueraded the VINETHORN payload as a VPN application.1 |
| enterprise | T1112 | Modify Registry | APT42 has modified Registry keys to maintain persistence.1 |
| enterprise | T1111 | Multi-Factor Authentication Interception | APT42 has intercepted SMS-based one-time passwords and has set up two-factor authentication.1 Additionally, APT42 has used cloned or fake websites to capture MFA tokens.2 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | APT42 has used built-in features in the Microsoft 365 environment and publicly available tools to avoid detection.2 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.002 | Spearphishing Link | APT42 has sent spearphishing emails containing malicious links.123 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | APT42 has used scheduled tasks for persistence.1 |
| enterprise | T1113 | Screen Capture | APT42 has used malware, such as GHAMBAR and POWERPOST, to take screenshots.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | APT42 has used Windows Management Instrumentation (WMI) to check for anti-virus products.2 |
| enterprise | T1608 | Stage Capabilities | - |
| enterprise | T1608.001 | Upload Malware | APT42 has used its infrastructure for C2 and for staging the VINETHORN payload, which masqueraded as a VPN application.1 |
| enterprise | T1539 | Steal Web Session Cookie | APT42 has used custom malware to steal login and cookie data from common browsers.1 |
| enterprise | T1082 | System Information Discovery | APT42 has used malware, such as GHAMBAR and POWERPOST, to collect system information.1 |
| enterprise | T1016 | System Network Configuration Discovery | APT42 has used malware, such as GHAMBAR and POWERPOST, to collect network information.1 |
| enterprise | T1102 | Web Service | APT42 has used various links, such as links with typo-squatted domains, links to Dropbox files and links to fake Google sites, in spearphishing operations.213 |
| enterprise | T1047 | Windows Management Instrumentation | APT42 has used Windows Management Instrumentation (WMI) to query anti-virus products.2 |
Software
References
-
Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromises. Retrieved October 9, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Rozmann, O., et al. (2024, May 1). Uncharmed: Untangling Iran’s APT42 Operations. Retrieved October 9, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Google Threat Analysis Group. (2024, August 14). Iranian backed group steps up phishing campaigns against Israel, U.S.. Retrieved October 9, 2024. ↩↩↩↩↩