December 6, 2022
Iranian hacking group APT42 targets Iranian opposition through custom Android spyware

An Iran-based Hacking cyber espionage group known as APT42 is believed to be behind a series of cyberattacks on organizations and individuals opposed to the Iranian government going as far back as 2015.

The hacking group known as APT42 has been discovered using a custom Android malware to spy on targets of some specific interest.

APT42 is functioning as the cyber spy army of Iran’s Islamic Revolutionary Guard Corps (IRGC), which has plotted to murder US citizens including former National Security Advisor John Bolton.

The researchers say they have “high confidence” that APT42 is an Iranian state-sponsored cyberespionage group tasked with spying on people and groups of interest to the Iranian government.

A hacker’s primary tactic is spear-phishing, a common scam whose perpetrators pose as a legitimate entity and attempt to persuade a target to open an email and click a link that allows the group to steal information. What sets this group apart is the lengths to which they go to appear trustworthy. 

However, in many cases, they also deploy a custom Android malware strain capable of tracking victims, accessing the device’s storage, and extracting communication data.

While its financial backers turn their attention to assassination attempts and other terrorist activities, APT42 favors selective spear-phishing to target corporate and personal email accounts, according to the Google-owned threat intel business.

As part of APT42’s activity Think tanks, researchers, journalists, government officials, healthcare facilities, and the Iranian diaspora have been targeted in at least 14 countries, including Israel and the UAE.

A lot of spear-phishing campaigns are laughably crude, promising riches in poorly written emails. Not APT42. One member of the group “posed as a well-known journalist from a U.S. media organization requesting an interview and engaged the initial target for 37 days to gain their trust before finally directing them to a credential harvesting page,” the report said. 

Security researchers also said that APT42 In 2017 targeted the leaders of an Iranian opposition group by sending emails that appeared to be from Google and that contained links to fake Google Books pages. 

Then Targets were redirected to sign-in websites designed to steal their Google logins and multifactor authentication codes.

APT24 Steal Google logins and multifactor authentication codes.
Image: Mandiant

Mandiant researchers say the Custom Android spyware is primarily made for Iranian leaders targets via SMS texts containing links to a messaging or VPN app that can help bypass government-imposed restrictions.

While APT42’s operations appear similar in some ways to previously spotted Iranian online spying groups, the researchers say that what makes it different is its focus on the personal accounts and mobile devices of individual people and groups deemed enemies of the regime, rather than on military targets or large caches of sensitive data.

Finally, Mandiant has assessed with moderate confidence that APT42 and APT35 are both handles of the IRGC (Islamic Revolutionary Guard Corps), which the U.S. designates as a terrorist organization.

Leave a Reply

Your email address will not be published. Required fields are marked *