← threatfilter.dev / all groups / APT39
APT39
Also known as: ITG07 · Chafer · Remix Kitten
Overview
APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190
- Custom malware/implant development — ATT&CK: 4 attributed custom malware families
TTPs — 53 techniques across 13 tactics
Resource Development
-
T1588.002Tool
Initial Access
-
T1190Exploit Public-Facing Application -
T1566.001Spearphishing Attachment -
T1566.002Spearphishing Link
Execution
-
T1053.005Scheduled Task -
T1059Command and Scripting Interpreter -
T1059.001PowerShell -
T1059.005Visual Basic -
T1059.006Python -
T1059.010AutoHotKey & AutoIT -
T1204.001Malicious Link -
T1204.002Malicious File -
T1569.002Service Execution
Persistence
-
T1136.001Local Account -
T1505.003Web Shell -
T1547.001Registry Run Keys / Startup Folder -
T1547.009Shortcut Modification
Privilege Escalation
-
T1546.010AppInit DLLs
Stealth
-
T1027.002Software Packing -
T1027.013Encrypted/Encoded File -
T1036.005Match Legitimate Resource Name or Location -
T1070.004File Deletion -
T1078Valid Accounts -
T1140Deobfuscate/Decode Files or Information -
T1197BITS Jobs
Defense Impairment
-
T1553.006Code Signing Policy Modification
Credential Access
-
T1003OS Credential Dumping -
T1003.001LSASS Memory -
T1110Brute Force -
T1555Credentials from Password Stores
Discovery
-
T1012Query Registry -
T1018Remote System Discovery -
T1033System Owner/User Discovery -
T1046Network Service Discovery -
T1083File and Directory Discovery -
T1135Network Share Discovery
Lateral Movement
-
T1021.001Remote Desktop Protocol -
T1021.002SMB/Windows Admin Shares -
T1021.004SSH
Collection
-
T1005Data from Local System -
T1056Input Capture -
T1056.001Keylogging -
T1074.001Local Data Staging -
T1113Screen Capture -
T1115Clipboard Data -
T1560.001Archive via Utility
Command and Control
-
T1071.001Web Protocols -
T1071.004DNS -
T1090.001Internal Proxy -
T1090.002External Proxy -
T1102.002Bidirectional Communication -
T1105Ingress Tool Transfer
Exfiltration
Tools & malware (11)
NBTscan · MechaFlounder · Remexi · CrackMapExec · pwdump · Mimikatz · Windows Credential Editor · Cadelspy · PsExec · ASPXSpy · ftp
Reporting (3)
- Treasury Sanctions Cyber Actors Backed by Iranian Intelligence — Dept. of Treasury
- Department of Justice and Partner Departments and Agencies Conduct Coordinated Actions to Disrupt and Deter Iranian Malicious Cyber Activities Targeting the United States and the Broader International Community — DOJ
- Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07 — FBI