Description
[APT39](https://attack.mitre.org/groups/G0087) is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. [APT39](https://attack.mitre.org/groups/G0087) has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020)
Techniques Used (TTPs)
- T1046 — Network Service Discovery (discovery)
- T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
- T1090.002 — External Proxy (command-and-control)
- T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
- T1056.001 — Keylogging (collection, credential-access)
- T1005 — Data from Local System (collection)
- T1059.001 — PowerShell (execution)
- T1115 — Clipboard Data (collection)
- T1003 — OS Credential Dumping (credential-access)
- T1553.006 — Code Signing Policy Modification (defense-evasion)
- T1546.010 — AppInit DLLs (privilege-escalation, persistence)
- T1547.009 — Shortcut Modification (persistence, privilege-escalation)
- T1135 — Network Share Discovery (discovery)
- T1569.002 — Service Execution (execution)
- T1027.013 — Encrypted/Encoded File (defense-evasion)
- T1588.002 — Tool (resource-development)
- T1021.001 — Remote Desktop Protocol (lateral-movement)
- T1033 — System Owner/User Discovery (discovery)
- T1027.002 — Software Packing (defense-evasion)
- T1041 — Exfiltration Over C2 Channel (exfiltration)
- T1204.002 — Malicious File (execution)
- T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
- T1070.004 — File Deletion (defense-evasion)
- T1102.002 — Bidirectional Communication (command-and-control)
- T1560.001 — Archive via Utility (collection)
- T1505.003 — Web Shell (persistence)
- T1105 — Ingress Tool Transfer (command-and-control)
- T1059.010 — AutoHotKey & AutoIT (execution)
- T1204.001 — Malicious Link (execution)
- T1555 — Credentials from Password Stores (credential-access)
- T1113 — Screen Capture (collection)
- T1003.001 — LSASS Memory (credential-access)
- T1018 — Remote System Discovery (discovery)
- T1071.004 — DNS (command-and-control)
- T1059 — Command and Scripting Interpreter (execution)
- T1074.001 — Local Data Staging (collection)
- T1083 — File and Directory Discovery (discovery)
- T1012 — Query Registry (discovery)
- T1110 — Brute Force (credential-access)
- T1197 — BITS Jobs (defense-evasion, persistence)
- T1136.001 — Local Account (persistence)
- T1059.006 — Python (execution)
- T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
- T1071.001 — Web Protocols (command-and-control)
- T1090.001 — Internal Proxy (command-and-control)
- T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
- T1056 — Input Capture (collection, credential-access)
- T1566.002 — Spearphishing Link (initial-access)
- T1566.001 — Spearphishing Attachment (initial-access)
- T1021.002 — SMB/Windows Admin Shares (lateral-movement)
- T1190 — Exploit Public-Facing Application (initial-access)
- T1059.005 — Visual Basic (execution)
- T1021.004 — SSH (lateral-movement)
Total TTPs: 53
Malware & Tools
Malware: ASPXSpy, Cadelspy, MechaFlounder, Remexi
Tools: CrackMapExec, Mimikatz, NBTscan, PsExec, Windows Credential Editor, ftp, pwdump