APT42, an Iranian hacker group, found new methods for covert spy attacks in business and not only. According to a recent report by Mandiant, APT42 has been active since 2015 and has conducted at least 30 operations in 14 countries, mainly against non-governmental organizations, media, educational institutions, activists and legal services.
Hackers they use social engineering to penetrate corporate networks and cloud environments in the West and Middle East. Malicious emails with two custom backdoors, Nicecurl and Tamecat, are used to infect targets. These allow you to execute commands and steal data.
APT42 impersonates journalists, representatives of non-governmental organizations or event organizers, sending messages with domains similar to legitimate ones. Once you have gained the victim’s trust, they send a link to a document that redirects to fake login sites, which imitate well-known services such as Google and Microsoft. These sites not only steal the victim’s credentials, but also two-factor authentication tokens.
To strengthen its position in infected networks and evade detection, APT42 uses features of cloud tools, clears Google Chrome history, and sends files via OneDrive accounts using email addresses apparently belonging to victims.
APT42 also uses ExpressVPN, Cloudflare domains, and temporary VPS servers to maintain anonymity. Nicecurl And Tamecat they are their favorite backdoors. Nicecurl is a VBScript-based backdoor that can execute commands, load and execute additional data, or perform data analysis on the infected host. Tamecat is a more sophisticated PowerShell backdoor that can execute PowerShell code or C# scripts, giving APT42 more flexibility for theft.
