APT39

Introduction

APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS. FireEye APT39 Jan 2019 Symantec Chafer Dec 2015 FBI FLASH APT39 September 2020 Dept. of Treasury Iran Sanctions September 2020 DOJ Iran Indictments September 2020

Activities and Tactics

Country of Origin: 🇮🇷 Iran

Risk Level: High

First Seen: 2019

Last Activity: 2019

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

• T1046 Network Service Discovery
• T1547.001 Registry Run Keys / Startup Folder
• T1090.002 External Proxy
• T1140 Deobfuscate/Decode Files or Information
• T1056.001 Keylogging
• T1005 Data from Local System
• T1059.001 PowerShell
• T1115 Clipboard Data
• T1003 OS Credential Dumping
• T1553.006 Code Signing Policy Modification
• T1546.010 AppInit DLLs
• T1547.009 Shortcut Modification
• T1135 Network Share Discovery
• T1569.002 Service Execution
• T1027.013 Encrypted/Encoded File
• T1588.002 Tool
• T1021.001 Remote Desktop Protocol
• T1033 System Owner/User Discovery
• T1027.002 Software Packing
• T1041 Exfiltration Over C2 Channel
• T1204.002 Malicious File
• T1053.005 Scheduled Task
• T1070.004 File Deletion
• T1102.002 Bidirectional Communication
• T1560.001 Archive via Utility
• T1505.003 Web Shell
• T1105 Ingress Tool Transfer
• T1059.010 AutoHotKey & AutoIT
• T1204.001 Malicious Link
• T1555 Credentials from Password Stores
• T1113 Screen Capture
• T1003.001 LSASS Memory
• T1018 Remote System Discovery
• T1071.004 DNS
• T1059 Command and Scripting Interpreter
• T1074.001 Local Data Staging
• T1083 File and Directory Discovery
• T1012 Query Registry
• T1110 Brute Force
• T1197 BITS Jobs
• T1136.001 Local Account
• T1059.006 Python
• T1036.005 Match Legitimate Resource Name or Location
• T1071.001 Web Protocols
• T1090.001 Internal Proxy
• T1078 Valid Accounts
• T1056 Input Capture
• T1566.002 Spearphishing Link
• T1566.001 Spearphishing Attachment
• T1021.002 SMB/Windows Admin Shares
• T1190 Exploit Public-Facing Application
• T1059.005 Visual Basic
• T1021.004 SSH

ATT&CK technique IDs (denormalized)

• T1003
• T1003.001
• T1005
• T1012
• T1018
• T1021.001
• T1021.002
• T1021.004
• T1027.002
• T1027.013
• T1033
• T1036.005
• T1041
• T1046
• T1053.005
• T1056
• T1056.001
• T1059
• T1059.001
• T1059.005
• T1059.006
• T1059.010
• T1070.004
• T1071.001
• T1071.004
• T1074.001
• T1078
• T1083
• T1090.001
• T1090.002
• T1102.002
• T1105
• T1110
• T1113
• T1115
• T1135
• T1136.001
• T1140
• T1190
• T1197
• T1204.001
• T1204.002
• T1505.003
• T1546.010
• T1547.001
• T1547.009
• T1553.006
• T1555
• T1560.001
• T1566.001
• T1566.002
• T1569.002
• T1588.002

Notable Indicators of Compromise (IOCs)

No atomic indicators are listed in this profile. The APTnotes snapshot indexes 1 public reports that may contain IOCs; see Source Attribution for dataset links.

Malware and Tools

• Backdoor.Oldrea

MITRE ATT&CK Software

• NBTscan (S0590) — tool
• MechaFlounder (S0459) — malware
• Remexi (S0375) — malware
• CrackMapExec (S0488) — tool
• pwdump (S0006) — tool
• Mimikatz (S0002) — tool
• Windows Credential Editor (S0005) — tool
• Cadelspy (S0454) — malware
• PsExec (S0029) — tool
• ASPXSpy (S0073) — malware
• ftp (S0095) — tool

Attribution and Evidence

Country of Origin: Iran Additional attribution information pending cataloguing.

References

[1] mitre-attack [6] Crowdstrike GTR2020 Mar 2020 Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. [7] Dept. of Treasury Iran Sanctions September 2020 Dept. of Treasury. (2020, September 17). Treasury Sanctions Cyber Actors Backed by Iranian Intelligence. Retrieved December 10, 2020. [8] DOJ Iran Indictments September 2020 DOJ. (2020, September 17). Department of Justice and Partner Departments and Agencies Conduct Coordinated Actions to Disrupt and Deter Iranian Malicious Cyber Activities Targeting the United States and the Broader International Community. Retrieved December 10, 2020. [9] FBI FLASH APT39 September 2020 FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. [10] FireEye APT39 Jan 2019 Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. [11] Dark Reading APT39 JAN 2019 Higgins, K. (2019, January 30). Iran Ups its Traditional Cyber Espionage Tradecraft. Retrieved May 22, 2020. [12] Symantec Chafer Dec 2015 Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.