APT42黑客伪装记者，窃取凭证和访问云数据

The Iranian state-backed hacking outfit called APT42 is making use of enhanced social engineering schemes to infiltrate target networks and cloud environments.

伊朗政府支持的黑客组织APT42正在利用增强的社会工程策略渗透目标网络和云环境。

Targets of the attack include Western and Middle Eastern NGOs, media organizations, academia, legal services and activists, Google Cloud subsidiary Mandiant said in a report published last week.

根据Google Cloud子公司Mandiant上周发布的报告，攻击目标包括西方和中东的非政府组织、媒体组织、学术界、法律服务和活动人士。

"APT42 was observed posing as journalists and event organizers to build trust with their victims through ongoing correspondence, and to deliver invitations to conferences or legitimate documents," the company said.

公司表示：“观察到APT42冒充记者和活动组织者，通过持续的通信与受害者建立信任，并向其发送邀请参加会议或合法文件。

"These social engineering schemes enabled APT42 to harvest credentials and use them to gain initial access to cloud environments. Subsequently, the threat actor covertly exfiltrated data of strategic interest to Iran, while relying on built-in features and open-source tools to avoid detection."

这些社会工程策略使APT42能够收集凭据并使用它们获取对云环境的初始访问权限。随后，威胁行为者秘密地外传对伊朗具有战略利益的数据，同时依靠内置功能和开源工具来避免检测。

APT42 (aka Damselfly and UNC788), first documented by the company in September 2022, is an Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government.

APT42（又称Damselfly和UNC788）于2022年9月首次被该公司记录，是一个伊朗政府支持的网络间谍组织，负责对伊朗政府战略利益的个人和组织进行信息收集和监视操作。

It's assessed to be a subset of another infamous threat group tracked as APT35, which is also known by various names CALANQUE, CharmingCypress, Charming Kitten, ITG18, Mint Sandstorm (formerly Phosphorus), Newscaster, TA453, and Yellow Garuda.

它被认为是另一个臭名昭著的威胁组织APT35的子集，该组织也以CALANQUE、CharmingCypress、Charming Kitten、ITG18、Mint Sandstorm（前身为Phosphorus）、Newscaster、TA453和Yellow Garuda等多个名称而闻名。

Both the groups are affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC), but operate with a different set of goals.

这两个组织都与伊朗的伊斯兰革命卫队（IRGC）有关，但具有不同的目标。

While Charming Kitten focuses more on long-term, malware-intensive operations targeting organizations and companies in the U.S. and Middle East to steal data. APT42, in contrast, targets specific individuals and organizations that the regime has its eye on for the purpose of domestic politics, foreign policy, and regime stability.

Charming Kitten更专注于长期的恶意软件密集型行动，针对美国和中东的组织和公司窃取数据。相比之下，APT42针对伊朗政权关注的特定个人和组织，目的是国内政治、外交政策和政权稳定。

Earlier this January, Microsoft attributed the Charming Kitten actor to phishing campaigns targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the U.K., and the U.S. since November 2023.

今年1月，微软将Charming Kitten演员归因于针对从事中东事务的高知名度个人的网络钓鱼活动，这些个人就职于比利时、法国、加沙、以色列、英国和美国的大学和研究机构，自2013年11月以来一直受到攻击。

Attacks mounted by the group are known to involve extensive credential harvesting operations to gather Microsoft, Yahoo, and Google Credentials via spear-phishing emails containing malicious links to lure documents that redirect the recipients to a fake login page.

该组织发起的攻击已知涉及大规模的凭证收集操作，通过包含恶意链接的钓鱼邮件收集微软、雅虎和谷歌凭证，这些链接引导接收者访问伪造的登录页面。

In these campaigns, the adversary has been observed sending emails from domains typosquatting the original entities and masquerading as news outlets; legitimate services like Dropbox, Google Meet, LinkedIn, and YouTube; and mailer daemons and URL shortening tools.

在这些活动中，对手被发现使用与原始实体同音字的域发送电子邮件，伪装成新闻机构、Dropbox、Google Meet、LinkedIn和YouTube等合法服务，以及邮件守护程序和URL缩短工具。

The credential-grabbing attacks are complemented by data exfiltration activities targeting the victims' public cloud infrastructure to get hold of documents that are of interest to Iran, but only after gaining their trust – something Charming Kitten is well-versed at.

凭证抓取攻击与数据外传活动相辅相成，目标是获取对伊朗感兴趣的文件，但仅在获得受害者信任后进行 - 这正是Charming Kitten擅长的。

"These operations began with enhanced social engineering schemes to gain the initial access to victim networks, often involving ongoing trust-building correspondence with the victim," Mandiant said.

Mandiant表示：“这些行动始于增强的社会工程策略，以获取对受害者网络的初始访问权限，通常包括与受害者持续建立信任的通信。”

"Only then the desired credentials are acquired and multi-factor authentication (MFA) is bypassed, by serving a cloned website to capture the MFA token (which failed) and later by sending MFA push notifications to the victim (which succeeded)."

“只有在获得所需凭据并绕过多因素认证（MFA）后，通过提供克隆网站以捕获MFA令牌（失败）以及后来通过向受害者发送MFA推送通知来绕过MFA。”

In an effort to cover up its tracks and blend in, the adversary has been found relying on publicly available tools, exfiltrating files to a OneDrive account masquerading as the victim's organization, and employing VPN and anonymized infrastructure to interact with the compromised environment.

为了掩盖其行踪并混淆视听，对手依靠公开可用的工具，将文件外传到伪装为受害者组织的OneDrive帐户，并使用VPN和匿名基础设施与受损环境进行交互。

Also used by APT42 are two custom backdoors that act as a jumping point to deploy additional malware or to manually execute commands on the device -

APT42还使用了两种自定义后门，作为部署其他恶意软件的跳板或手动在设备上执行命令的起点 -

• NICECURL (aka BASICSTAR) - A backdoor written in VBScript that can download additional modules to be executed, including data mining and arbitrary command execution

  NICECURL（又称BASICSTAR）- 一个用VBScript编写的后门，可以下载要执行的附加模块，包括数据挖掘和任意命令执行；TAMECAT - 一个PowerShell立足点，可以执行任意PowerShell或C#内容

• TAMECAT - A PowerShell toehold that can execute arbitrary PowerShell or C# content

  NICECURL（又称BASICSTAR）- 一个用VBScript编写的后门，可以下载要执行的附加模块，包括数据挖掘和任意命令执行；TAMECAT - 一个PowerShell立足点，可以执行任意PowerShell或C#内容

It's worth noting that NICECURL was previously dissected by cybersecurity company Volexity in February 2024 in connection with a series of cyber attacks aimed at Middle East policy experts.

值得注意的是，NICECURL曾于2024年2月被网络安全公司Volexity解剖，与一系列针对中东政策专家的网络攻击有关。

"APT42 has remained relatively focused on intelligence collection and targeting similar victimology, despite the Israel-Hamas war that has led other Iran-nexus actors to adapt by conducting disruptive, destructive, and hack-and-leak activities," Mandiant concluded.

Mandiant总结说：“尽管伊朗与哈马斯之间的战争导致其他伊朗相关行动者适应并进行破坏性、破坏性和黑客泄密活动，但APT42一直相对专注于情报收集和瞄准类似的受害者，

"The methods deployed by APT42 leave a minimal footprint and might make the detection and mitigation of their activities more challenging for network defenders."

APT42采用的方法留下了最小的痕迹，可能使网络防御者更难检测和减轻他们的活动。

参考资料

[1]https://thehackernews.com/2024/05/apt42-hackers-pose-as-journalists-to.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：APT42黑客伪装记者，窃取凭证和访问云数据