Group description: APT39

attack.mitre.org · MITRE ATT&CK · 1 day ago · threat-intel
quality 4/10 · average
0 net
Tags
malware-as-a-service attack-mitigation
APT39, ITG07, Chafer, Remix Kitten, Group G0087 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups APT39 APT39 APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS. [1] [2] [3] [4] [5] ID: G0087 ⓘ Associated Groups : ITG07, Chafer, Remix Kitten Version : 3.2 Created: 19 February 2019 Last Modified: 11 April 2024 Version Permalink Live Version Associated Group Descriptions Name Description ITG07 [3] [4] [5] Chafer Activities associated with APT39 largely align with a group publicly referred to as Chafer. [1] [2] [6] [3] [4] [5] Remix Kitten [7] ATT&CK ® Navigator Layers Enterprise Layer download view Techniques Used Domain ID Name Use Enterprise T1071 .001 Application Layer Protocol : Web Protocols APT39 has used HTTP in communications with C2. [8] [3] .004 Application Layer Protocol : DNS APT39 has used remote access tools that leverage DNS in communications with C2. [8] Enterprise T1560 .001 Archive Collected Data : Archive via Utility APT39 has used WinRAR and 7-Zip to compress an archive stolen data. [1] Enterprise T1197 BITS Jobs APT39 has used the BITS protocol to exfiltrate stolen data from a compromised host. [3] Enterprise T1547 .001 Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder APT39 has maintained persistence using the startup folder. [1] .009 Boot or Logon Autostart Execution : Shortcut Modification APT39 has modified LNK shortcuts. [1] Enterprise T1110 Brute Force APT39 has used Ncrack to reveal credentials. [1] Enterprise T1115 Clipboard Data APT39 has used tools capable of stealing contents of the clipboard. [9] Enterprise T1059 Command and Scripting Interpreter APT39 has utilized custom scripts to perform internal reconnaissance. [1] [3] .001 PowerShell APT39 has used PowerShell to execute malicious code. [8] [9] .005 Visual Basic APT39 has utilized malicious VBS scripts in malware. [3] .006 Python APT39 has used a command line utility and a network scanner written in python. [8] [3] .010 AutoHotKey & AutoIT APT39 has utilized AutoIt malware scripts embedded in Microsoft Office documents or malicious links. [3] Enterprise T1136 .001 Create Account : Local Account APT39 has created accounts on multiple compromised hosts to perform actions within the network. [8] Enterprise T1555 Credentials from Password Stores APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords. [8] Enterprise T1005 Data from Local System APT39 has used various tools to steal files from the compromised host. [9] [3] Enterprise T1074 .001 Data Staged : Local Data Staging APT39 has utilized tools to aggregate data prior to exfiltration. [3] Enterprise T1140 Deobfuscate/Decode Files or Information APT39 has used malware to decrypt encrypted CAB files. [3] Enterprise T1546 .010 Event Triggered Execution : AppInit DLLs APT39 has used malware to set LoadAppInit_DLLs in the Registry key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows in order to establish persistence. [3] Enterprise T1041 Exfiltration Over C2 Channel APT39 has exfiltrated stolen victim data through C2 communications. [3] Enterprise T1190 Exploit Public-Facing Application APT39 has used SQL injection for initial compromise. [9] Enterprise T1083 File and Directory Discovery APT39 has used tools with the ability to search for files on a compromised host. [3] Enterprise T1070 .004 Indicator Removal : File Deletion APT39 has used malware to delete files after they are deployed on a compromised host. [3] Enterprise T1105 Ingress Tool Transfer APT39 has downloaded tools to compromised hosts. [9] [3] Enterprise T1056 Input Capture APT39 has utilized tools to capture mouse movements. [3] .001 Keylogging APT39 has used tools for capturing keystrokes. [9] [3] Enterprise T1036 .005 Masquerading : Match Legitimate Resource Name or Location APT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe. [8] [3] Enterprise T1046 Network Service Discovery APT39 has used CrackMapExec and a custom port scanner known as BLUETORCH for network scanning. [1] [8] Enterprise T1135 Network Share Discovery APT39 has used the post exploitation tool CrackMapExec to enumerate network shares. [8] Enterprise T1027 .002 Obfuscated Files or Information : Software Packing APT39 has packed tools with UPX, and has repacked a modified version of Mimikatz to thwart anti-virus detection. [1] [8] .013 Obfuscated Files or Information : Encrypted/Encoded File APT39 has used malware to drop encrypted CAB files. [3] Enterprise T1588 .002 Obtain Capabilities : Tool APT39 has modified and used customized versions of publicly-available tools like PLINK and Mimikatz . [8] [10] Enterprise T1003 OS Credential Dumping APT39 has used different versions of Mimikatz to obtain credentials. [8] .001 LSASS Memory APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials. [1] Enterprise T1566 .001 Phishing : Spearphishing Attachment APT39 leveraged spearphishing emails with malicious attachments to initially compromise victims. [1] [9] [3] .002 Phishing : Spearphishing Link APT39 leveraged spearphishing emails with malicious links to initially compromise victims. [1] [3] Enterprise T1090 .001 Proxy : Internal Proxy APT39 used custom tools to create SOCK5 and custom protocol proxies between infected hosts. [1] [8] .002 Proxy : External Proxy APT39 has used various tools to proxy C2 communications. [8] Enterprise T1012 Query Registry APT39 has used various strains of malware to query the Registry. [3] Enterprise T1021 .001 Remote Services : Remote Desktop Protocol APT39 has been seen using RDP for lateral movement and persistence, in some cases employing the rdpwinst tool for mangement of multiple sessions. [1] [8] .002 Remote Services : SMB/Windows Admin Shares APT39 has used SMB for lateral movement. [9] .004 Remote Services : SSH APT39 used secure shell (SSH) to move laterally among their targets. [1] Enterprise T1018 Remote System Discovery APT39 has used NBTscan and custom tools to discover remote systems. [1] [8] [9] Enterprise T1053 .005 Scheduled Task/Job : Scheduled Task APT39 has created scheduled tasks for persistence. [1] [8] [3] Enterprise T1113 Screen Capture APT39 has used a screen capture utility to take screenshots on a compromised host. [9] [3] Enterprise T1505 .003 Server Software Component : Web Shell APT39 has installed ANTAK and ASPXSPY web shells. [1] Enterprise T1553 .006 Subvert Trust Controls : Code Signing Policy Modification APT39 has used malware to turn off the RequireSigned feature which ensures only signed DLLs can be run on Windows. [3] Enterprise T1033 System Owner/User Discovery APT39 used Remexi to collect usernames from the system. [2] Enterprise T1569 .002 System Services : Service Execution APT39 has used post-exploitation tools including RemCom and the Non-sucking Service Manager (NSSM) to execute processes. [8] [9] Enterprise T1204 .001 User Execution : Malicious Link APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious link. [1] [3] .002 User Execution : Malicious File APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious attachment. [1] [8] [9] [3] Enterprise T1078 Valid Accounts APT39 has used stolen credentials to compromise Outlook Web Access (OWA). [1] Enterprise T1102 .002 Web Service : Bidirectional Communication APT39 has communicated with C2 through files uploaded to and downloaded from DropBox. [8] Software ID Name References Techniques S0073 ASPXSpy [1] Server Software Component : Web Shell S0454 Cadelspy [2] Application Window Discovery , Archive Collected Data , Audio Capture , Clipboard Data , Input Capture : Keylogging , Peripheral Device Discovery , Screen Capture , System Information Discovery S0488 CrackMapExec [1] [8] Account Discovery : Domain Account , Brute Force : Password Spraying , Brute Force : Password Guessing , Brute Force , Command and Scripting Interpreter : PowerShell , File and Directory Discovery , Local Storage Discovery , Modify Registry , Network Share Discovery , OS Credential Dumping : Security Account Manager , OS Credential Dumping : NTDS , OS Credential Dumping : LSA Secrets , Password Policy Discovery , Permission Groups Discovery : Domain Groups , Remote System Discovery , Scheduled Task/Job : At , System Network Configuration Discovery , System Network Connections Discovery , Use Alternate Authentication Material : Pass the Hash , Windows Management Instrumentation S0095 ftp [3] Exfiltration Over Alternative Protocol : Exfiltration Over Unencrypted Non-C2 Protocol , Ingress Tool Transfer , Lateral Tool Transfer S0459 MechaFlounder [11] Application Layer Protocol : Web Protocols , Command and Scripting Interpreter : Windows Command Shell , Command and Scripting Interpreter : Python , Data Encoding : Standard Encoding , Exfiltration Over C2 Channel , Ingress Tool Transfer , Masquerading : Match Legitimate Resource Name or Location , System Owner/User Discovery S0002 Mimikatz [1] [8] [6] [9] Access Token Manipulation : SID-History Injection , Account Manipulation , Boot or Logon Autostart Execution : Security Support Provider , Credentials from Password Stores , Credentials from Password Stores : Credentials from Web Browsers , Credentials from Password Stores : Windows Credential Manager , OS Credential Dumping : DCSync , OS Credential Dumping : Security Account Manager , OS Credential Dumping : LSASS Memory , OS Credential Dumping : LSA Secrets , Rogue Domain Controller , Steal or Forge Authentication Certificates , Steal or Forge Kerberos Tickets : Golden Ticket , Steal or Forge Kerberos Tickets : Silver Ticket , Unsecured Credentials : Private Keys , Use Alternate Authentication Material : Pass the Hash , Use Alternate Authentication Material : Pass the Ticket S0590 NBTscan [1] Network Service Discovery , Network Sniffing , Remote System Discovery , System Network Configuration Discovery , System Owner/User Discovery S0029 PsExec [1] [8] [9] Create Account : Domain Account , Create or Modify System Process : Windows Service , Lateral Tool Transfer , Remote Services : SMB/Windows Admin Shares , System Services : Service Execution S0006 pwdump [9] OS Credential Dumping : Security Account Manager S0375 Remexi [2] [12] [9] Application Layer Protocol : Web Protocols , Application Window Discovery , Archive Collected Data , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Boot or Logon Autostart Execution : Winlogon Helper DLL , Clipboard Data , Command and Scripting Interpreter : Windows Command Shell , Command and Scripting Interpreter : Visual Basic , Deobfuscate/Decode Files or Information , Exfiltration Over C2 Channel , File and Directory Discovery , Input Capture : Keylogging , Obfuscated Files or Information : Encrypted/Encoded File , Scheduled Task/Job : Scheduled Task , Screen Capture , Windows Management Instrumentation S0005 Windows Credential Editor [1] [6] OS Credential Dumping : LSASS Memory References Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. Dept. of Treasury. (2020, September 17). Treasury Sanctions Cyber Actors Backed by Iranian Intelligence. Retrieved December 10, 2020. DOJ. (2020, September 17). Department of Justice and Partner Departments and Agencies Conduct Coordinated Actions to Disrupt and Deter Iranian Malicious Cyber Activities Targeting the United States and the Broader International Community. Retrieved December 10, 2020. Higgins, K. (2019, January 30). Iran Ups its Traditional Cyber Espionage Tradecraft. Retrieved May 22, 2020. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020. McMillen, D. Sperry, C. (2019, June 14). Observations of ITG07 Cyber Operations. Retrieved May 17, 2021. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. × load more results
← Back to stories