APT42 | APT Profile

Description

[APT42](https://attack.mitre.org/groups/G1044) is an Iranian-sponsored threat group that conducts cyber espionage and surveillance.(Citation: Mandiant APT42-charms) The group primarily focuses on targets in the Middle East region, but has targeted a variety of industries and countries since at least 2015.(Citation: Mandiant APT42-charms) [APT42](https://attack.mitre.org/groups/G1044) starts cyber operations through spearphishing emails and/or the PINEFLOWER Android malware, then monitors and collects information from the compromised systems and devices.(Citation: Mandiant APT42-charms) Finally, [APT42](https://attack.mitre.org/groups/G1044) exfiltrates data using native features and open-source tools.(Citation: Mandiant APT42-untangling) [APT42](https://attack.mitre.org/groups/G1044) activities have been linked to [Magic Hound](https://attack.mitre.org/groups/G0059) by other commercial vendors. While there are behavior and software overlaps between [Magic Hound](https://attack.mitre.org/groups/G0059) and [APT42](https://attack.mitre.org/groups/G1044), they appear to be distinct entities and are tracked as separate entities by their originating vendor.

Techniques Used (TTPs)

T1059.001 — PowerShell (execution)
T1518.001 — Security Software Discovery (discovery)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1070 — Indicator Removal (defense-evasion)
T1056 — Input Capture (collection, credential-access)
T1583.001 — Domains (resource-development)
T1132.001 — Standard Encoding (command-and-control)
T1530 — Data from Cloud Storage (collection)
T1059.005 — Visual Basic (execution)
T1113 — Screen Capture (collection)
T1016 — System Network Configuration Discovery (discovery)
T1087.001 — Local Account (discovery)
T1585.002 — Email Accounts (resource-development)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1656 — Impersonation (defense-evasion)
T1070.008 — Clear Mailbox Data (defense-evasion)
T1056.001 — Keylogging (collection, credential-access)
T1102 — Web Service (command-and-control)
T1082 — System Information Discovery (discovery)
T1071.001 — Web Protocols (command-and-control)
T1583.003 — Virtual Private Server (resource-development)
T1573.002 — Asymmetric Cryptography (command-and-control)
T1047 — Windows Management Instrumentation (execution)
T1539 — Steal Web Session Cookie (credential-access)
T1608.001 — Upload Malware (resource-development)
T1588.002 — Tool (resource-development)
T1111 — Multi-Factor Authentication Interception (credential-access)
T1547 — Boot or Logon Autostart Execution (persistence, privilege-escalation)
T1112 — Modify Registry (defense-evasion, persistence)
T1566.002 — Spearphishing Link (initial-access)
T1555.003 — Credentials from Web Browsers (credential-access)

Total TTPs: 31

Malware & Tools

Malware: NICECURL, TAMECAT

← Return to Home ← Back to APT Search