Impersonating someone

The Iranian state-backed threat actor tracked as APT42 is employing social engineering attacks, including posing as journalists, to breach corporate networks and cloud environments of Western and Middle Eastern targets.

APT42 was first documented by Mandiant in September 2022, who reported that the threat actors were active since 2015, having carried out at least 30 operations in 14 countries.

The espionage group, which is believed to be affiliated with Iran's Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), has been observed targeting non-governmental organizations, media outlets, educational institutes, activists, and legal services.

Google threat analysts following APT42's operations report that the hackers use malicious emails to infect their targets with two custom backdoors, namely "Nicecurl" and "Tamecat," which provide command execution and data exfiltration capabilities.

Crafting online personas

APT42 attacks rely on social engineering and spear-phishing, with the ultimate goal of infecting targets' devices with custom backdoors, allowing the threat actors to gain initial access to the organizations' networks.

The attack begins with emails from online personas posing as journalists, NGO representatives, or event organizers sent from domains that "typosquat" (use similar URLs) to those of legitimate organizations.

One of the fake personas created by APT42
One of the fake personas created by APT42
Source: Google

The media organizations impersonated by APT42 include the Washington Post (U.S.), The Economist (UK), The Jerusalem Post (IL), Khaleej Times (UAE), Azadliq (Azerbaijan), with Mandiant stating that the attacks often use typosquatted domains like "washinqtonpost[.]press".

After the attackers exchange enough communication to build trust with a victim, they send a link to a document related to a conference or a news article, depending on the selected lure topic.

Decoy document used in the attack
Decoy document used in the attack
Source: Google

Clicking on the links directs the targets to fake login pages that mimic well-known services like Google and Microsoft or even specialized platforms pertinent to the victim's field of work.

These phishing sites harvest not only the victim's account credentials but also their multi-factor authentication (MFA) tokens.

Sample of the phishing pages
Sample of the phishing pages
Source: Google

After stealing all data required for hijacking the victim's account, the hackers infiltrate the corporate network or cloud environment and collect sensitive information such as emails and documents.

Google reports that to evade detection and blend with normal operations, APT42 limits its actions to built-in features of the cloud tools it has access to, clears Google Chrome history after reviewing documents, and uses email addresses that appear to belong to the victimized organization to exfiltrate files to OneDrive accounts.

In addition, APT42 uses ExpressVPN nodes, Cloudflare-hosted domains, and ephemeral VPS servers during all interactions with the victim's environment, making attribution harder.

APT42 attack overview
APT42 attack overview
Source: Google

Custom backdoor malware

APT42 utilizes two custom backdoors named Nicecurl and Tamecat, each tailored for specific functions within cyberespionage operations.

Nicecurl is a VBScript-based backdoor capable of performing command execution, downloading and executing additional payloads, or performing data mining on the infected host.

Tamecat is a more complex PowerShell backdoor that can execute arbitrary PS code or C# scripts, giving APT42 much operational flexibility to perform data theft and extensive system manipulation.

Compared to Nicecurl, Tamecat obfuscates its C2 communication with base64, can update its configuration dynamically, and assesses the infected environment before execution to evade detection by AV tools and other active security mechanisms.

Both backdoors are deployed via phishing emails with malicious documents, often requiring macro permissions to run. However, if APT42 has cultivated trust with the victim, this requirement becomes less of a barrier since the victim is more likely to manually disable security features.

Similar, if not the same, malware was analyzed by Volexity in February, which also linked the attacks to Iranian threat actors.

The full list of Indicators of Compromise (IoCs) for the recent APT42 campaign and YARA rules for detecting the NICECURL and TAMECAT malware can be found at the end of Google's report.

Related Articles:

Russia targets Ukrainian conscripts with Windows, Android malware

US says Chinese hackers breached multiple telecom providers

European govt air-gapped systems breached using custom malware

Microsoft: Stealthy Flax Typhoon hackers use LOLBins to evade detection

US govt officials’ communications compromised in recent telecom hack