The impersonated organizations include the Washington Post, The Economist, The Jerusalem Post, Khaleej Times, Azadliq, and others.
The researchers argue that APT42 is linked to Iran’s Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). Over the years it has built a reputation of infamy, having been involved in dozens of high-profile attacks. The researchers first observed it back in 2015, and have apparently engaged in at least 30 different operations.
A report from Google cybersecurity researchers found the threat actors would first set up email addresses on typosquatted domains, impersonating journalists, NGO representatives, and event organizers.
While the targets may differ, the goal is always the same – to gather important intelligence, vital for the advancement of Iranian state agendas. In that respect, the targets are mostly located in Israel, the United States, and Europe.
The final step is to use the obtained credentials to infiltrate their target’s corporate network and deploy two backdoors: “Nicecurl” and “Tamecat”. Nicecurl seems to be the less capable one, allowing for command execution, deploying additional malware, and stealing sensitive data. Tamecat can execute arbitrary PowerShell code and is generally described as more flexible.
Then, they would reach out to their targets, mostly located in the Middle East, and West, and engage in conversation. After building some credibility, the attackers would share a link to a document relating to a conference, or a news article. The link would redirect the victims to a phishing page where, should they fall for the trap, they can share their login credentials, and even multi-factor authentication (MFA) tokens.