APT39 Cyber Espionage Group Launch widespread Theft on Personal Information

Iranian cyber espionage group APT39, focus on the widespread theft of personal information performing monitoring, tracking or surveillance operations that serve Iran’s national priorities or potential to create additional accesses and vectors to facilitate future campaigns.

Following are the industries targeted, including telecommunications, travel-industries, high-tech industry and government entities. The focused their operations in the Middle East, the U.S and the South Korea. APT39 uses a variety of custom and publicly available malware and tools at all stages of the attack lifecycle.

The attack starts with spear phishing emails, stolen credentials and web server compromise. Phishing emails carry malicious attachments resulting from downloading the POWBAT malware. For C2 server communications the hacker group registers their domains that pose as a legitimate one which seems relevant to the organization.

Also, the group compromise web servers with known vulnerabilities of the targeted organizations and inject web shells such as ANTAK and ASPXSPY. Stolen credentials are then used to compromise Outlook Web Access (OWA) resources.

APT39 uses custom backdoors such as SEAWEED, CACHEMONEY with a unique variant of POWBAT to gain access to the target environment and to escalate privileges using freely available tools such as Mimikatz and Ncrack.

The lateral movement carried out through myriad tools such as Remote Desktop Protocols (RDP), Secure Shell (SSH), PsExec, RemCom, xCmdSvc and custom tools like REDTRIP, PINKTRIP and BLUETRIP has been used to create SOCKS5 proxies between infected hosts.

To archive the stolen data, APT39 group uses WinRAR or 7-Zip and used a modified version of Mimikatz to evade anti-virus detections.

Telecommunication and travel industries were the prime targets for the group as they store a large amount of personal and customer information. APT39’s targeting not only represents a threat to known targeted industries, but it extends to these organization's clientele, which includes a wide variety of sectors and individuals on a global scale.