Untangling Iran's APT42 Operations

May 3, 2024, 10:49 a.m.

Description

APT42, an Iranian state-sponsored cyber espionage actor, is using enhanced social engineering schemes to gain access to victim networks, including cloud environments. The actor is targeting Western and Middle Eastern NGOs, media organizations, academia, legal services and activists.

External References

https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
https://otx.alienvault.com/pulse/6634b037e1f17e5686963374
Tags
apt
2024-05-03
iran
cyber espionage
CVE-2021-44228
nicecurl
tamecat

Date

  • Created: May 3, 2024, 9:36 a.m.
  • Published: May 3, 2024, 9:36 a.m.
  • Modified: May 3, 2024, 10:49 a.m.

Indicators

  • M_APT_Downloader_TAMECAT_NICECURL_VBScript_1
  • M_APT_Backdoor_TAMECAT
  • M_APT_Backdoor_TAMECAT_2
  • M_APT_Backdoor_NICECURL_datamine_module_1
  • M_APT_Backdoor_NICECURL_1
  • 07384ab4488ea795affc923851e00ebc2ead3f01b57be6bf8358d7659e9ee407
  • https://youtransfer.live/
  • https://s3.tebi.io/icestorage/df32s.txt
  • https://s3.tebi.io/icestorage/config/nconf.txt
  • https://email-daemon.online/
  • https://bitly.org.il/J03p4y3r
  • https://bitly.org.il/
  • http://tnt200.mywire.org/Do1
  • http://onmicrosofl.com/accountID=
  • tnt200.mywire.org
  • s3.tebi.io
  • review.modification-check.online
  • email-daemon.online.tinurls.com
  • email-daemon.biz.tinurls.com
  • youronlineregister.com
  • youtransfer.live
  • ynetnews.press
  • we-transfer.shop
  • washinqtonpost.press
  • washingtonlnstitute.org
  • virtue-regular-ready.online
  • viewtop.online
  • viewstand.online
  • view-total-step.online
  • view-pool-cope.online
  • view-panel.live
  • view-cope-flow.online
  • verify-person-entry.top
  • vanityfaire.org
  • ushrt.us
  • twision.top
  • tonpost.press
  • title-flow-store.online
  • timesfisrael.com
  • tcvision.online
  • themedealine.org
  • sweet-pinnacle-readily.online
  • support-account.xyz
  • stellar-roar-right.buzz
  • status-short.live
  • simple-process-static.top
  • signin-myaccounts.com
  • signin-mails.com
  • signin-mail.com
  • signin-accounts.com
  • signin-acconut.com
  • shoting-urls.live
  • shortulonline.live
  • shortlinkview.live
  • shortingurling.live
  • shorting-ce.live
  • shortenurl.online
  • short-view.online
  • short-url.live
  • revive-project-live.online
  • recognize-validation.online
  • reconsider.site
  • quomodocunquize.site
  • pannel-get-data.us
  • panels-views-ckeck.live
  • paneling-viewing.live
  • panel-views-cheking.live
  • panelchecking.live
  • panel-view.online
  • panel-view.live
  • panel-view-short.online
  • panel-short-check.live
  • panel-live-check.online
  • panel-check-short.live
  • ovcloud.online
  • onmicrosofl.com
  • online-video-services.site
  • online-processing.online
  • online-access.live
  • nterview.site
  • myaccount-signin.com
  • mterview.site
  • meeting-online.site
  • mccainlnstitute.org
  • mailerdaemon.online
  • mailer-daemon.us
  • mailer-daemon.info
  • mail-roundcube.site
  • maariv.net
  • loriginal.online
  • live-projects-online.top
  • live-project-online.live
  • litby.us
  • last-check-leave.buzz
  • ksview.top
  • khalejtimes.org
  • khaleejtimes.org
  • jpostpress.com
  • jpost.press
  • israelhayum.com
  • join-paneling.online
  • indication-service.online
  • identifier-direction.site
  • honest-halcyon-fresher.buzz
  • home-proceed.online
  • home-continue.online
  • gview.site
  • go-forward.quest
  • go-conversation.lol
  • glory-uplift-vouch.online
  • geaviews.site
  • g-online.org
  • fortune-retire-home.top
  • forieqnaffairs.com
  • foreiqnaffairs.org
  • foreiqnaffairs.com
  • eocnomist.com
  • endorsement-services.online
  • email-daemon.site
  • email-daemon.online
  • ecomonist.org
  • email-daemon.biz
  • drive-file-share.site
  • drive-access.site
  • dloffice.top
  • dloffice.buzz
  • daemon-mailer.info
  • cvisiion.online
  • daemon-mailer.co
  • coordinate.icu
  • continue-meeting.site
  • continue-recognized.online
  • connection-view.online
  • confirmation-process.top
  • check-short-panel.live
  • check-panel-status.live
  • check-pabnel-status.live
  • check-online-panel.live
  • chat-services.online
  • businesslnsider.org
  • briview.online
  • bq-ledmagic.online
  • book-download.shop
  • bloom-flatter-affably.top
  • bitly.org.il
  • besvision.top
  • beaviews.online
  • azadlliq.info
  • avid-striking-eagerness.online
  • aspenlnstitute.org
  • affect-fist-ton.online
  • advission.online
  • admit-roar-frame.top
  • admiscion.online
  • activity-permission.online
  • admin-stable-right.top
  • accredit-validity.online
  • accounts-mails.com
  • account-signin.com
  • acconut-signin.com
Download all indicators here!

Attack Patterns

  • TAMECAT
  • NICECURL
  • APT42
  • T1598
  • T1027
  • T1566
  • T1190
  • T1003
  • T1059

Additional Informations

  • NGO
  • Government
  • Israel