Crafting convincing personas
APT42, an Iranian state-backed threat actor, uses social engineering attacks, including posing as journalists, to access corporate networks and cloud environments in Western and Middle Eastern targets.
Mandiant initially discovered APT42 in September 2022, reporting that the threat actors had been active since 2015, carrying out at least 30 activities across 14 countries.
The espionage squad, suspected to be linked to Iran's Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), has been seen targeting non-governmental groups, media outlets, educational institutions, activists, and legal services.
According to Google threat analysts who have been monitoring APT42's operations, the hackers employ infected emails to infect their targets with two custom backdoors, "Nicecurl" and "Tamecat," which allow for command execution and data exfiltration.
A closer look at APT42’s social engineering tactics
APT42 assaults use social engineering and spear-phishing to infect targets' devices with tailored backdoors, allowing threat actors to obtain initial access to the organization's networks.
The attack begins with emails from online personas posing as journalists, NGO representatives, or event organizers, sent from domains that "typosquat" (have identical URLs) with actual organizations.
APT42 impersonates media organizations such as the Washington Post, The Economist, The Jerusalem Post (IL), Khaleej Times (UAE), and Azadliq (Azerbaijan), with Mandiant claiming that the attacks frequently employ typo-squatted names such as "washinqtonpost[.]press".
Luring victims with tempting bait
After exchanging enough information to establish confidence with the victim, the attackers transmit a link to a document connected to a conference or a news item, depending on the lure theme.
APT42 assaults use social engineering and spear-phishing to infect targets' devices with tailored backdoors, allowing threat actors to obtain initial access to the organization's networks.
The attack begins with emails from online personas posing as journalists, NGO representatives, or event organizers, sent from domains that "typosquat" (have identical URLs) with actual organizations.
The imitation game
APT42 impersonates media organizations such as the Washington Post, The Economist, The Jerusalem Post (IL), Khaleej Times (UAE), and Azadliq (Azerbaijan), with Mandiant claiming that the attacks frequently employ typo-squatted names such as "washinqtonpost[.]press".
After exchanging enough information to establish confidence with the victim, the attackers transmit a link to a document connected to a conference or a news item, depending on the lure theme.
Nicecurl, Tamecat: Custom backdoor
APT42 employs two proprietary backdoors, Nicecurl and Tamecat, each designed for a specific function during cyberespionage activities.
Nicecurl is a VBScript-based backdoor that can run commands, download and execute other payloads, and extract data from the compromised host.
Tamecat is a more advanced PowerShell backdoor that can run arbitrary PS code or C# scripts, providing APT42 with significant operational flexibility for data theft and substantial system modification.
Tamecat, unlike Nicecurl, obfuscates its C2 connection with base64, allows for dynamic configuration updates, and examines the infected environment before execution to avoid detection by AV products and other active security mechanisms.
Exfiltration via Legitimate Channels
Both backdoors are sent by phishing emails containing malicious documents, which frequently require macro rights to run. However, if APT42 has established trust with the victim, this requirement becomes less of an impediment because the victim is more inclined to actively disable security features.
Volexity studied similar, if not identical, malware in February, linking the attacks to Iranian threat actors.
The full list of Indicators of Compromise (IoCs) for the recent APT42 campaign, as well as YARA rules for detecting the NICECURL and TAMECAT malware, are available at the end of Google's report.