APT35, also known as Charming Kitten, is an Iranian state-sponsored cyber-espionage group targeting various sectors through sophisticated cyber campaigns. Since its emergence in 2014, APT35 has been involved in high-profile incidents such as the HBO data breach and attempted compromises of U.S. governmental and campaign-related accounts. The groupβs tactics include phishing, credential harvesting, and malware deployment.
Affected: Cybersecurity, Telecommunications, Entertainment, National Security
Affected: Cybersecurity, Telecommunications, Entertainment, National Security
Keypoints :
- APT35 is an Iranian state-sponsored cyber espionage group identified since at least 2014.
- The group has launched targeted cyber espionage campaigns against global sectors.
- Notable incidents include the HBO breach and targeting U.S. political campaign email accounts.
- APT35 utilizes sophisticated social engineering and custom malware for its operations.
- They are affiliated with the Iranian Revolutionary Guard Corps and operate with complex interrelations to other Iranian groups.
- Defensive strategies emphasize strong email security, multifactor authentication, and continuous monitoring.
MITRE Techniques :
- T1598.002 Spearphishing for Information: APT35 gathers victim data via spear-phishing campaigns.
- T1589 Gather Victim Identity Information: Extensive gathering of open-source intelligence to identify targets.
- T1584 Compromise Infrastructure: Preparation includes creating phishing pages and spoofed domains.
- T1566.002 Spearphishing Link: Deployment of malicious links through email campaigns.
- T1566.001 Spearphishing Attachment: Using phishing emails with malicious attachments to compromise targets.
- T1189 Drive-by Compromise: Exploiting browser vulnerabilities to infect targets visiting compromised sites.
- T1204.001 User Execution: Malicious Link: Users are tricked into executing malicious links which exploit their systems.
- T1505.003 Web Shell: Establishing persistence through malicious web shells on compromised systems.
- T1098 Account Manipulation: Altering user accounts to maintain access and persistence.
- T1068 Exploitation for Privilege Escalation: Gaining elevated privileges through software vulnerabilities.
- T1027 Obfuscated Files or Information: Using obfuscation techniques to evade detection of malicious files.
- T1070 Indicator Removal on Host: Techniques used by APT35 to remove indicators of compromise.
- T1003 Credential Dumping: Extracting stored credentials from compromised systems.
- T1056.001 Input Capture: Keylogging: Capturing user inputs for credential theft.
- T1082 System Information Discovery: Collecting information about system configurations and settings.
- T1087 Account Discovery: Identifying existing user accounts for potential exploitation.
- T1021.004 Remote Services: SSH: Using SSH for lateral movement within compromised networks.
- T1102 Web Service C2: Establishing control over compromised systems using web services.
- T1071 Application Layer Protocol: Utilizing application-layer protocols for command-and-control communications.
- T1041 Exfiltration Over Web: Exfiltrating data over web traffic to avoid detection.
Indicator of Compromise :
- [Domain] phishingdomain[. ]com
- [Domain] malicious[. ]com
- [Email] attacker@example[. ]com
- [SHA-256] 1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9t0u1v2w3x4y5z6a7b8c9d0e1f2g3
- [IPv4] 192.0.2.1
Full Story: https://socradar.io/apt-profile-who-is-phosphorus/