Iranian Hacking Group Deploys Customised Spyware
An Iran-based Hacking cyber espionage group is believed to be behind a series of cyber attacks on organisations and individuals opposed to the Iranian government, going as far back as 2015.
The Iranian state-sponsored hacking group known as APT42 has been discovered using a custom Android malware to spy on targets of interest.
APT42 is a state-sponsored threat actor who conducts cyberespionage against individuals and organisations that hold a particular interest to the Iranian government.
The primary goal of the group appears to be intelligence collection. Their activity typically starts with spear-phishing campaigns directed against prominent individuals, or colleagues near them. The group has also been seen deploying Android malware via smishing campaigns, which allow them to track the location of their victims, read their messages and record their phone calls, amongst other actions.
Now, the cyber security firm Mandiant has released information on APT42. Mandiant says that the group functions as the cyber arm of Iran's Islamic Revolutionary Guard Corps (IRGC) and claims to have found at least 30 victims of APT42. The actual count is likely much higher, given the group’s “high operational tempo” and the lack of visibility stemming from its targeting of personal email accounts.
The group is allegedly using custom Android malware to spy on targets. Mandiant is understood to have collected enough evidence to prove that the group is separate from other previously identified groups.
APT42’s activity spans back several years and includes spear-phishing campaigns that lasted several months and targeted government officials, policymakers, journalists, academics, and Iranian dissidents. The group switched targets multiple times to match changing intelligence-collection interests. For example, in 2020, APT42 used phishing emails impersonating an Oxford University vaccine laboratory to target foreign pharmaceuticals.
The hackers aim to steal account credentials, access device storage, extract communication data, and track victims, according to Mandiant. The custom Android malware strain it deploys is capable of all of these malicious activities.
More recently, in February 2022, the hackers impersonated a British news agency to target political science professors in Belgium and the United Arab Emirates. In most cases, the hackers aimed at credential harvesting by directing their victims to phishing pages made to appear as legitimate login portals.
Mandiant: Binary Defense: Oodaloop: Bleeping Computer: Infosecurity Magazine:
The Register: New Times of India:
You Might Also Read: