Iranian Backed APT Group APT39: Chafer
Especially those who are after sensitive personal data of anti-Iranian institution employees APT39; chafer, REMIX KITTEN And COBALT HICKMAN It is known by names such as. The APT group, which carries out cyber espionage activities for the interests of Iran, has also targeted Turkey before. It is considered that APT39 used the Python payload called MechaFlounder in its attack against Turkey.
Who is APT39?
APT39 differs from other threat groups in that it is an APT group that focuses on capturing personal information of corporate personnel. Cobalt Hickman (APT39), a highly sophisticated threat actor, focuses more on data collection, acting in Iranian interests. It collects data on companies in its target sectors, especially with a pro-Iran attitude. It uses the personal data it collects as additional access vectors in its current operation or as a potential tool in a future attack.
Which Countries Support APT39?
Chafer, as its nickname suggests, is an Iranian-backed APT group. It has been actively carrying out operations since 2014, displaying a pro-Iran stance. The most striking and distinctive feature of the group is that it focuses on personal information, as mentioned in the "who is" section.
In particular, individuals and institutions that pose a danger to Iran or have any personal information that could be valuable if captured are targeted by the group.
What are APT39's Target Sectors?
Although APT39 has global targets, it is particularly focused on the Middle East. The group, which attacks Iran's interests in the Middle East, particularly targets the following sectors:
- Travel industry and IT companies serving this industry
- Telecommunications companies
- Advanced technology industry
What Malware Does APT39 Use?
APT39 uses various backdoor software as well as tools and software developed for different purposes and used by security experts. Malware with different features is used by the group to ensure persistence in the target system or to jump from one system to another. Specifically, malware whose name is mentioned together with APT39 is POWBAT Various variants of the back door, SEAWEED And CACHEMONEY They are backdoor software called.
Malware used in different stages of the attacks carried out by APT39 are listed below.
- ASPXSpy: It is used to ensure persistence on the infiltrated server.
- Cadelspy: It is mostly used in the information gathering stage after infiltrating the target system. It has features such as keylogging, microphone listening, capturing copied clipboard data, and learning the devices and components connected to the infiltrated system.
- CrackMapExec: It was used to detect existing domain users on the local network and to perform brute force attacks. It has features such as capturing user information (via SAM), listing the network configuration and other systems on the network.
- MechaFlounder: It is used to run commands on the infiltrated system and transmit the captured data to the command and control (C2 - Command and Control) server.
- Mimikatz: It has been used to extract user account information from memory, to obtain unauthorized access by manipulating this information, and to obtain previously used usernames and passwords from the cache of web browsers.
- PsExec: It was preferred to run commands in the infiltrated system, access SMB shares, and move the tools used or planned to be used during the attack while moving horizontally.
- pwdump: Again, like CrackMapExec, it was used to hijack user accounts from the SAM file.
- Remexi: It has been used for purposes such as accessing network traffic, detecting applications running on the system, and running Windows commands. However, Remexi is also used for keylogging, instant screenshots and file and directory discovery.
What Are the Attack Vectors Used by APT39?
Like every APT group, APT39 uses similar vectors when attacking its targets. The attack vectors used constitute the characteristic features of APT39. The attack vectors commonly used in cyber attacks carried out by Chafer to date are given in the table below.
NOTE:
The table will be in the format shown in the image, the drive disrupts the structure.
| TACTICAL NAME | TACTICAL ID | EXPLANATION |
|---|---|---|
| Initial Access | T1190 | He sent requests that could cause errors to systems that receive data from the Internet and tried to cause confusion in the system. |
| T1566.001 | It infiltrated the target system by using personalized e-mail messages containing malicious attachments (spearphishing). | |
| T1566.002 | It carried out phishing attacks using e-mail messages containing malicious files as well as messages containing malicious links. | |
| T1078 | The victim used credentials of existing users, such as username and password, to gain access to the system. | |
| Execution | T1059 | It used special scripts created to reconnoitre the internal network. |
| T1059.001 | He used PowerShell to run malicious codes. | |
| T1059.006 | It used tools specially developed with Python that scan the network.
| |
| T1053.003
| Timed task commands were used to ensure persistence. | |
| T1569.002 | It used system services to run tools such as RemCom, which is used to run remote commands. | |
| T1024.001 | Used malicious links to perform spearphishing. | |
| T1024.002 | He used malicious files to perform spearphishing. | |
| Persistence | T1547.001 | After APT39 infiltrated the system, it added its malicious process, which allows it to run commands, to the "startup" folder, enabling it to run every time the system is started. |
| T1547.009 | Created or edited existing shortcuts that were configured with the service added to the startup folder. | |
| T1136.001 | Local user accounts have been created to enable migration across the network and ensure permanence. | |
| T1053 | It used scheduled tasks to ensure persistence. | |
| T1505.003 | ANTAK and ASPXSPY webshells were preferred by the group. | |
| T1078 | The group used the captured Outlook accounts for different purposes. | |
| Privilege Escalation | T1047.001 | Programs or services that will enable privilege elevation by the group have been added to the startup folder. |
| T1547.009 | Shortcuts have been modified to increase authority. | |
| T1078 | The authorization upgrade was carried out by logging into the accounts of users with high rights. | |
| Defense Evasion | T1036.005 | An official McAfee file created by the APT group to bypass defense mechanisms and communicate with the command and control server. mfevtps.exe has been imitated. |
| T1027.002 | A modified version of Mimikatz by Remix Kitten is packaged using the obfuscation technique. Thus, anti-virus systems were bypassed. | |
| T1078 | In order to bypass the defense mechanisms, it took over the accounts of official users who were registered in the system and were not detected as anomalies. | |
| Credential Access | T1110 | To obtain group credentials Ncrack benefited from the tool called. |
| T1556 | He used tools that can read clipboard data (the area where copy-paste data is kept) to obtain user passwords. | |
| T1056.001 | It used tools that could detect keyboard input to capture user information. | |
| T1003 | The APT group used a modified version of Mimikatz to capture user data. | |
| T1003.001 | In addition to Mimikatz, the group also used tools such as Windows Credential Editor and ProcDump to obtain credentials from LSASS memory. | |
| Discovery | T1046 | It used CrackMapExec and a special tool called BLUTETORCH to perform network scanning. |
| T1135 | APT39 leveraged CrackMapExec to detect network shares. | |
| T1018 | The group used a special tool called nbtscan to detect other remote systems. | |
| T1033 | To detect existing users in the system remix He used a tool called. | |
| Lateral Movement | T1021.001 | The APT group used the RDP service to move laterally and maintain permanence in the systems. In some cases rdpwinst It has been observed that the session management tool called |
| T1021.002 | Used SMB for lateral movement. | |
| T1021.004 | It used SSH to move between its targets. | |
| Collection | T1560.001 | The group archived the captured data using WinRAR and 7-z to easily transfer it. |
| T1115 | Various tools have been used to capture clipboard data. | |
| T1005 | The group used a special tool to steal files from the infiltrated system. | |
| T1056.001 | It used tools that can detect keyboard input to collect data. | |
| T1113 | APT39 used screenshot functionality to take a snapshot of the infiltrated system. | |
| Command and Control | T1071.001 | The APT group used the HTTP protocol to communicate with the command and control server. |
| T1071.004 | The APT group used DNS to communicate with the command and control server. | |
| T1105 | In order to move freely in the infiltrated system and steal data, special tools were downloaded to the target system using the C2 server. | |
| T1090.001 | APT39 used a SOCK5 proxy and a specially developed proxy to move between compromised systems. | |
| T1090.002 | It used various proxies to communicate with the C2 server. | |
| T1102.002 | APT39 also used files uploaded to DropBox to communicate with C2. |
IOC Information for APT39
Information about the malware belonging to APT39, URL addresses, IP addresses and more is provided below.
Attack Against Turkey with MechaFlounder
It was determined that a Python-based payload called MechaFlounder was used in the attack carried out by APT39 on turkiyebursları.gov[.]tr in February 2018. In this attack, an executable file was downloaded from the IP address Chafer 185.177.59[.]70.
Harmful activities were carried out by running the file called “lsass.exe”, which was downloaded via HTTP request from win10-update[.]com.
In summary,
Malicious IP Address: 185.177.59[.]70
Malicious Domain: win10-update[.]com
MechaFlounder Payload (SHA256) Hash: 0282b7705f13f9d9811b722f8d7ef8fef907bee2ef00bf8ec89df5e7d96d81ff
System Activities and AV Alerts That May Be Related to APT39
Malicious system activities and software associated with Chafer by Symantec are coded as follows:
- Backdoor.Remexi Activity
- Backdoor.Cadelspy Activity 2
- Backdoor.Cadelspy
- Backdoor.Remexi
- Backdoor.Remexi.B
Domain Information Related to APT39
- s224.win7-update[.]com
- s5060.win7-update[.]com
- s21.win7-update[.]com
- wsus65432.win7-update[.]com
IP Addresses Associated with APT39
- 107.191.62[.]45
- 94.100.21[.]213
- 89.38.97[.]112
- 148.251.197[.]113
- 83.142.230[.]113
- 87.117.204[.]113
- 89.38.97[.]115
- 87.117.204[.]115
- 185.22.172[.]40
- 92.243.95[.]203
- 91.218.114[.]204
- 86.105.227[.]224
- 91.218.114[.]225
- 134.119.217[.]84
Malicious File Information Related to APT39
| File Type | File name | MD5 Hash |
|---|---|---|
| Fake Microsoft installer | Windows-KB3101246.exe | 804460a4934947b5131ca79d9bd668cf |
| PowerShell script | dntx.ps1 | 5cc9ba617a8c53ae7c5cc4d23aced59d |
| PowerShell script | dnip.ps1 | 8132c61c0689dbcadf67b777f6acc9d9 |
| PowerShell script | nsExec.dl | b38561661a7164e3bbb04edc3718fe89 |
| Autoit script | app.au3 | 263bc6861355553d7ff1e3848d661fb8 |