In a recent report from Mandiant, a threat actor with activity dating back to at least 2015 was attributed to the intelligence wing of Iran’s Islamic Revolutionary Guard Corps (IRGC). This Iranian organization has the mandate to conduct cyber espionage operations against the domestic populace and foreign targets of interest. Victims of this threat actor span the globe and have been seen targeted in over 30 incidents in at least 14 unique countries. Through the group’s Techniques, Tactics, and Procedures (TTPs), APT42 has also been linked to APT35, which has also been attributed to the IRGC in the past and is known by other names such as Charming Kitten, Phosphorous, and Yellow Garuda among other names.
The primary goal of the group appears to be intelligence collection. Their activity typically starts with spear-phishing campaigns directed against prominent individuals (or those close to them). The group has also been seen deploying Android malware via smishing campaigns, which allow them to track the location of their victims, read their messages and record their phone calls, among various other actions. The TTPs used by the group vary depending on the intended target, with diversified messages and landing pages being seen to more effectively social engineer their victim. In some cases, the group engaged with their victim for as long as 37 days before directing them to the landing page.
One initial compromise was accomplished, the threat actor established a foothold via various surveillance tools and other forms of malware. The group’s primary focus is to establish persistence, move laterally, and perform reconnaissance. The group establishes persistence via the use of its malware, allowing the group to create scheduled tasks and modify the registry, delete sent emails, among other actions. The group will attempt to move laterally by using the compromised host/user to send phishing emails to others within the victim’s organization. Once spread laterally through an environment, the group browses and exfiltrates data such as SharePoint documents, victims’ contacts, as well as various other forms of data.