HRW has identified 18 victims who have been targeted as part of the same campaign, and 15 of these people have confirmed that they had received the same WhatsApp messages between September 15 and November 25. According to the analysis by security firm Mandiant, APT42 uses highly targeted spear-phishing and social engineering techniques designed to build trust and rapport with victims to get their personal/corporate email accounts or to install Android malware on their smartphones. It uses Windows malware to boost credential harvesting and surveillance efforts.
Operations of APT42
There are 3 categories of operations- Credential Harvesting- APT42 mostly targets corporate and personal email accounts through high-powered phishing campaigns with an emphasis on building trust and rapport with the target before attempting to steal the credentials. It also collects Multi-Factor Authentication codes to bypass authentication methods and uses compromised credentials to pursue access to the networks, devices, and accounts of employers, colleagues, and relatives of the initial victim. Surveillance Operations- Till late 2015, a subset of APT’s 42 infrastructure served as command-and-control servers for Android mobile malware that aimed to track locations, monitor communications, and surveil the activities of individuals of interest to the Iranian government, including activists and dissidents inside Iran. Malware deployment- While APT42 mostly prefers credential harvesting over activity on disk, it does rely on some lightweight tools and backdoor customs as well. These tools are included in the operations when the objectives extend beyond credential harvesting. Over 30 confirmed targets by APT42 have been identified by Mandate. The total intrusions are higher based on the group’s high operational tempo, visibility gaps caused partly by group’s targeting of personal email accounts and partly by domestically focused efforts and extensive open source industry reporting on threat clusters associated with APT42.
Δ