top of page
Mitre
Alias
Chafer, Cobalt Hickman, G0087, Apt39, Itg07, Remix Kitten, Radio Serpens, Ta454, Apt 39
Country
Iran
Sponsor
Rana Intelligence Computing Company, State-sponsored
Motivation
Information Theft And Espionage
First Seen
2014
Description
(FireEye) APT39 was created to bring together previous activities and methods used by this actor, and its activities largely align with a group publicly referred to as �Chafer.� However, there are differences in what has been publicly reported due to the variances in how organizations track activity. APT39 primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39�s targeting scope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.
APT39�s focus on the telecommunications and travel industries suggests intent to perform monitoring, tracking, or surveillance operations against specific individuals, collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities, or create additional accesses and vectors to facilitate future campaigns. Government entities targeting suggests a potential secondary intent to collect geopolitical data that may benefit nation-state decision making. Targeting data supports the belief that APT39�s key mission is to track or monitor targets of interest, collect personal information, including travel itineraries, and gather customer data from telecommunications firms.
Targeted
Industries
Government, It, Shipping And Logistics, High-tech, Telecommunications, Aviation, Engineering, Transportation
Targeted
Countries
Usa, Kuwait, Saudi Arabia, Turkey, Uae, Middle East, Israel, Spain, Jordan
Tools
Oilrig
Mimikatz
Ultravnc
Eternalblue
Powbat
Remexi
Living
Windows
Non-sucking
Pwdump
Smb Hacking Tools
Metasploit
Non-sucking Service Manager
Aspxspy
Httptunnel
Seaweed
Living Off The Land
Antak
Mechaflounder
Plink
Nbtscan
Rana
Remcom
Safetykatz
Windows Credentials Editor
TTP
T1204.002
T1003
T1074.001
T1059.006
T1046
T1569
T1115
T1074
T1546.010
T1505
T1053
T1136.001
T1059.001
T1036
T1003.001
T1090.002
T1505.003
T1041
T1113
T1547.009
T1071.004
T1083
T1090
T1070.004
T1090.001
T1135
T1197
T1560
T1555
T1021
T1204
T1033
T1027
T1546
T1071
T1102.002
T1588
T1105
T1190
T1566.001
T1102
T1136
T1071.001
T1110
T1059.005
T1204.001
T1140
T1059
T1056.001
T1078
T1547
T1021.004
T1547.001
T1021.002
T1005
T1056
T1588.002
T1053.005
T1070
T1569.002
T1012
T1027.002
T1566.002
T1553
T1018
T1566
T1553.006
T1560.001
T1021.001
T1036.005
Operations
Performed
[2017] chafer Appears To Have Been Undeterred By Its Exposure In 2015 And Continued To Be Very Active During 2017, Using Seven New Tools, Rolling Out New Infrastructure, And Attacking Nine New Target Organizations In The Region. The Group Hit Organizations In Israel, Jordan, The United Arab Emirates, Saudi Arabia, And Turkey. (sectors Targeted Included Airlines; Aircraft Services; Software And It Services Companies Serving The Air And Sea Transport Sectors; Telecoms Services; Payroll Services; Engineering Consultancies; And Document Management Software.</br />outside Of The Middle East, Symantec Has Also Found Evidence Of Attacks Against One African Airline And Attempts To Compromise An International Travel Reservations Firm. (https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions)
[2018-02] turkish Government Targeting (this New Secondary Payload Is Python-based And Compiled Into Executable Form Using The Pyinstaller Utility. This Is The First Instance Where Unit 42 Has Identified A Python-based Payload Used By These Operators. We�ve Also Identified Code Overlap With Oilrig�s Clayside Vbscript But At This Time Track Chafer And Oilrig As Separate Threat Groups. We Have Named This Payload Mechaflounder For Tracking Purposes. (https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/)
[2018 Autumn] spying On Iran-based Foreign Diplomatic Entities (throughout The Autumn Of 2018 We Analyzed A Long-standing (and Still Active At That Time) Cyberespionage Campaign That Was Primarily Targeting Foreign Diplomatic Entities Based In Iran. The Attackers Were Using An Improved Version Of Remexi In What The Victimology Suggests Might Be A Domestic Cyberespionage Operation. (https://securelist.com/chafer-used-remexi-malware/89538/)
[2018] bitdefender Researchers Have Found Attacks Conducted By This Actor In The Middle East Region, Dating Back To 2018. The Campaigns Were Based On Several Tools, Including �living Off The Land� Tools, Which Makes Attribution Difficult, As Well As Different Hacking Tools And A Custom Built Backdoor. (https://www.bitdefender.com/files/news/casestudies/study/332/bitdefender-whitepaper-chafer-creat4491-en-en-interactive.pdf
Counter
Operations
'date': '2020-09', 'activity': 'treasury Sanctions Cyber Actors Backed By Iranian Intelligence Ministry (https://home.treasury.gov/news/press-releases/sm1127'
Information
https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html
https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets
https://securityintelligence.com/posts/observations-of-itg07-cyber-operations/
https://www.ic3.gov/Media/News/2020/200917-2.pdf
https://www.bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf
bottom of page