Security company FireEye says it has identified an Iranian cyber espionage group which is responsible for widespread theft of personal information. These hackers have been found to be targeting telecoms operators, as well as travel companies and IT companies in the Middle East.
FireEye reports that it has been tracking activity linked to this group since November 2014 and found that its focus on personal information theft sets it apart from other Iranian hacking groups. The security company has reported that the group’s widespread theft of personal information is likely used to support monitoring, tracking, or surveillance operations that serve Iran’s national priorities.
According to FireEye, APT39’s focus on the telecommunications and travel industries suggests intent to perform monitoring, tracking, or surveillance operations against specific individuals, collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities, or create additional accesses and vectors to facilitate future campaigns.
“Government entities targeting suggests a potential secondary intent to collect geopolitical data that may benefit nation-state decision making. Targeting data supports the belief that APT39’s key mission is to track or monitor targets of interest, collect personal information, including travel itineraries, and gather customer data from telecommunications firms,” the security firm added in a statement.
The APT39 uses a variety of custom and publicly available malware and tools at all stages of the attack lifecycle. It leverages spear phishing emails with malicious attachments and/or hyperlinks typically resulting in a POWBAT infection and then uses domains that masquerade as legitimate web services and organizations that are relevant to the intended target. Furthermore, this group has routinely identified and exploited vulnerable web servers of targeted organizations to install web shells, such as ANTAK and ASPXSPY, and used stolen legitimate credentials to compromise externally facing Outlook Web Access (OWA) resources.
Post-compromise, APT39 leverages custom backdoors such as SEAWEED, CACHEMONEY, and a unique variant of POWBAT to establish a foothold in a target environment. During privilege escalation, freely available tools such as Mimikatz and Ncrack have been observed, in addition to legitimate tools such as Windows Credential Editor and ProcDump. Internal reconnaissance has been performed using custom scripts and both freely available and custom tools such as the port scanner, BLUETORCH.
APT39 facilitates lateral movement through myriad tools such as Remote Desktop Protocol (RDP), Secure Shell (SSH), PsExec, RemCom, and xCmdSvc. Custom tools such as REDTRIP, PINKTRIP, and BLUETRIP have also been used to create SOCKS5 proxies between infected hosts. In addition to using RDP for lateral movement, APT39 has used this protocol to maintain persistence in a victim environment. To complete its mission, APT39 typically archives stolen data with compression tools such as WinRAR or 7-Zip.
