Iranian APTs: An Overview

APT 34

Also known as OilRig, Helix Kitten, GreenBug, IRN2

First active: 2014

Last observed: 2021

Malware

• ZEROCLEARE
• DNSPIONAGE
• PICKPOCKET
• VALUEVAULT
• LONGWATCH

Initial attack vector

• Social Engineering, Social Media Phishing, Spearphishing
  • Academia-themed conversations
  • Malicious document (.doc) delivery
  • Using LinkedIn messaging to send malicious links
  • Use of various social media platforms for the above
• Other tools & methods
  • DNS tunneling
  • Powershell
  • HTTP GET and POST requests
  • Open SSH tunnel for remote RDP
  • Mimikatz
  • Microsoft Office vulnerability abuse
  • Steganography
  • DNS-over-HTTPS
• Common vulnerabilities & exploits (CVEs)
  • CVE-2017-11882
  • CVE-2017-0199
  • CVE-2017-11774

Additional information

• Goal: Strategic/cyber espionage
• Countries targeted:
  • Middle East (in particular: Lebanon, UAE)
• Further reading:
  • https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/
  • https://attack.mitre.org/groups/G0049/
  • https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/

APT 35

Also known as Newscaster, Rocket Kitten, Phosphorus, Charming Kitten, Saffron Rose

First active: 2014

Last observed: 2022

Ransomware use

• Momento
• Bitlocker

Malware

• PowerLess
• HAVIJ

Initial attack vector

• Social Engineering, Social Media Phishing, Spearphishing
  • Password Recovery Impersonation
  • SMS Spearphishing
  • Use of various social media platforms for the above
• Other tools & methods:
  • Two-Factor Authentication Defeat
  • Keylogging
  • Mimikatz
  • Microsoft Office vulnerability abuse
  • IP logging
  • Ransomware

Additional information

• Goal: Strategic espionage
• Countries targeted:
  • U.S.
  • Saudi Arabia
  • Other Middle Eastern countries 
• Industries/groups targeted:
  • Military
  • Government
  • Media
  • Energy
  • Defense Industrial Base
  • Engineering
  • Telecommunications
  • Dissidents
• Further reading:
  • https://attack.mitre.org/groups/G0059/
  • https://noticeofpleadings.com/phosphorus/files/Complaint.pdf
  • https://www.clearskysec.com/the-kittens-are-back-in-town-2/
  • https://www.bleepingcomputer.com/news/security/microsoft-retaliates-against-apt35-hacker-group-by-seizing-99-domains/

APT 39

Also known as Chafer, Remix Kitten

First active: 2014

Last observed: 2020

Malware

• BITS 1.0 and 2.0
• VBS
• Autolt
• SEAWEED
• CACHEMONEY
• POWBAT

Initial attack vector

• Spearphishing
  • Malicious attachments
  • URLs infected with POWBAT
  • Use of various social media platforms for the above
• Other tools & methods:
  • Run the front company Rana
  • Vulnerable web servers
  • Custom backdoors
  • Mimikatz
  • SQL injections
• RDP, SSH, data compression before exfiltration

Additional information

• Goal: Theft of personal information to support Iranian priorities such as monitoring and tracking of individuals/dissidents
• Countries targeted:
  • Middle East & Persian Gulf
  • Spain
  • U.S.
  • Australia
• Industries targeted:
  • Telecommunications
  • Travel industries
• Further reading
  • https://www.securityweek.com/us-imposes-sanctions-apt39-iranian-hackers
  • https://blogs.infoblox.com/cyber-threat-intelligence/apt39-malicious-activity-and-tools/
  • https://attack.mitre.org/groups/G0087/
  • https://securityaffairs.co/wordpress/80450/apt/iran-apt39-cyberespionage.html
  • https://malpedia.caad.fkie.fraunhofer.de/actor/apt39

Rampant Kitten

First active: 2014

Last observed: 2020

Malware  

• Information stealing variants, primarily targeting KeePass and Telegram accounts of intended victims
• Dharma ransomware

Initial attack vector

• Employ information stealers to target credentials, personal documents, SMS, and Telegram messages
  • An Android backdoor extracts two-factor authentication codes
  • Phishing pages masquerading as distributors of fake accounts
  • Bypassing two- and multi-factor authentication
• Other tools/methods: VPN exploitation
• CVEs 
  • CVE-2019-11510
  • CVE-2019-19781
  • CVE-2020-5902

Additional information

• Goals:
  • Espionage
  • Target and expose/dox dissidents/Iranian minorities
  • Financial gain
• Countries targeted:
  • Russia 
  • Japan
  • China
  • India
  • Israel
  • North America
• Industries targeted:
  • Government
  • Technology
  • Defense
• Further reading:
  • https://us-cert.cisa.gov/ncas/alerts/aa20-259a

Pioneer Kitten

Also known as Fox Kitten, PARISITE, UNC757

First active: 2017

Last observed: 2020

Initial attack vector

• Exploits unpatched vulnerabilities
• Webshells
• SSH Tunneling
  • VPN Exploitation
• Other tools/methods: Sells access to compromised systems and networks
• CVEs 
  • CVE-2018-13379
  • CVE-2019-11510
  • CVE-2019-19781
  • CVE-2020-5902

Additional information

• Goals:
  • Espionage
  • Financial gain
• Countries targeted:
  • Israel
  • North America
  • Middle East
• Industries targeted:
  • Healthcare
  • Government
  • Technology
  • Defense
• Further reading:
  • https://www.crowdstrike.com/blog/who-is-pioneer-kitten/

Static Kitten

Also known as MUDDYWATER, Seedworm

First active: 2017

Last observed: 2021

Malware 

• POWERSTATS powershell trojan
• PowGoop

Initial attack vector

• Spearphishing
  • Malicious document and file (.doc, .zip) delivery
  • Malicious use of common open-source tools
• Other tools/methods: Powershell scripts, ScreenConnect, RemoteUtilities, custom backdoors, lateral movement within networks
• CVEs 
  • CVE-2020-1472

Additional information

• Goals:
  • Espionage
  • Data and document theft and exfiltration
• Regions/countries targeted:
  • Israel
  • Middle East
• Industries targeted:
  • Government
  • Tourism
  • Telecom
• Further reading:
  • https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html
  • https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east