🇮🇷

APT39

APT Group Information theft and espionage 1 zero-day CVE ETDA ✓

Also Known As 9 names

Burgundy Sandstorm COBALT HICKMAN Chafer G0087 ITG07 REMIX KITTEN Radio Serpens TA454 APT 39

Target Countries 9

Countries highlighted in red

Germany Spain Israel Islamic Republic of Iran Jordan Kuwait Saudi Arabia Turkey United States

Sectors Targeted

Aviation Engineering Shipping and Logistics Investigation, Guard, and Armored Car Services 56161 Government High-Tech National Security and International Affairs 9281 Telecommunications Data Processing, Hosting, and Related Services 51821 Transportation Computer Systems Design Services 541512 IT

Details

Origin 🇮🇷 IR

Last Updated 01 Jun 2022

Malware Families 3

antak

zhmimikatz

rana

MITRE ATT&CK 75

T1003 T1003.001 T1005 T1012 T1018 T1021 T1021.001 T1021.002 T1021.004 T1027 T1027.002 T1027.013 T1033 T1036 T1036.005 T1041 T1046 T1047 T1053 T1053.005 T1056 T1056.001 T1059 T1059.001 T1059.005 T1059.006 T1059.010 T1070 T1070.004 T1071 T1071.001 T1071.004 T1074 T1074.001 T1078 T1078.001 T1083 T1090 T1090.001 T1090.002 T1102 T1102.002 T1105 T1110 T1113 T1115 T1135 T1136 T1136.001 T1140 T1190 T1197 T1203 T1204 T1204.001 T1204.002 T1505 T1505.003 T1546 T1546.010 T1547 T1547.001 T1547.009 T1553 T1553.006 T1555 T1560 T1560.001 T1566 T1566.001 T1566.002 T1569 T1569.002 T1588 T1588.002

Related Zero-Days 1

CVE-2025-53770

Known Names 9 entries

Chafer Symantec

APT 39 Mandiant

Remix Kitten CrowdStrike

Cobalt Hickman SecureWorks

TA454 Proofpoint

ITG07 IBM

Radio Serpens Palo Alto

Burgundy Sandstorm Microsoft

G0087 MITRE

Observed Target Countries 9

Based on ETDA data — countries highlighted in red

Israel Jordan Kuwait Saudi Arabia Spain Turkey UAE USA Middle East

Description

(FireEye) APT39 was created to bring together previous activities and methods used by this actor, and its activities largely align with a group publicly referred to as “Chafer.” However, there are differences in what has been publicly reported due to the variances in how organizations track activity. APT39 primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39’s targeting scope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry. APT39’s focus on the telecommunications and travel industries suggests intent to perform monitoring, tracking, or surveillance operations against specific individuals, collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities, or create additional accesses and vectors to facilitate future campaigns. Government entities targeting suggests a potential secondary intent to collect geopolitical data that may benefit nation-state decision making. Targeting data supports the belief that APT39’s key mission is to track or monitor targets of interest, collect personal information, including travel itineraries, and gather customer data from telecommunications firms.

Tools Used 22

Antak ASPXSpy EternalBlue HTTPTunnel MechaFlounder Metasploit Mimikatz nbtscan Non-sucking Service Manager OilRig Plink POWBAT pwdump Rana Remcom Remexi SafetyKatz SEAWEED UltraVNC Windows Credentials Editor Living off the Land SMB hacking tools

Operations 4

2017 Chafer appears to have been undeterred by its exposure in 2015 and continued to be very active during 2017, using seven new tools, rolling out new infrastructure, and attacking nine new target organizations in the region. The group hit organizations in Israel, Jordan, the United Arab Emirates, Saudi Arabia, and Turkey. Sectors targeted included airlines; aircraft services; software and IT services companies serving the air and sea transport sectors; telecoms services; payroll services; engineering consultancies; and document management software.</br />Outside of the Middle East, Symantec has also found evidence of attacks against one African airline and attempts to compromise an international travel reservations firm. https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions

2018-02 Turkish Government Targeting This new secondary payload is Python-based and compiled into executable form using the PyInstaller utility. This is the first instance where Unit 42 has identified a Python-based payload used by these operators. We’ve also identified code overlap with OilRig’s Clayside VBScript but at this time track Chafer and OilRig as separate threat groups. We have named this payload MechaFlounder for tracking purposes. https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/

2018 Autumn Spying on Iran-based foreign diplomatic entities Throughout the autumn of 2018 we analyzed a long-standing (and still active at that time) cyberespionage campaign that was primarily targeting foreign diplomatic entities based in Iran. The attackers were using an improved version of Remexi in what the victimology suggests might be a domestic cyberespionage operation. https://securelist.com/chafer-used-remexi-malware/89538/

2018 Bitdefender researchers have found attacks conducted by this actor in the Middle East region, dating back to 2018. The campaigns were based on several tools, including “living off the land” tools, which makes attribution difficult, as well as different hacking tools and a custom built backdoor. https://www.bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf

Reports & References 5

https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets https://securityintelligence.com/posts/observations-of-itg07-cyber-operations/ https://www.ic3.gov/Media/News/2020/200917-2.pdf https://www.bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf

ETDA Profile

Chafer, APT 39

Origin

Iran

First Seen 2014

Sponsor State-sponsored, Rana Intelligence Computing Company

Motivation

Information theft and espionage

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0087/

View on ETDA APT Groups ↗