Iranian Threat Group, APT42 Deploys Android Spyware

Researchers from Mandiant have identified cyberespionage activity tied to Iranian state-sponsored group, APT42. The group's operations are aligned with intelligence collection and surveillance efforts against individuals and organizations who are of interest to the Iranian government. Mandiant documents the group's operations and objective as "operations, which are designed to build trust and rapport with their victims, have included accessing the personal and corporate email accounts of government officials, former Iranian policymakers or political figures, members of the Iranian diaspora and opposition groups, journalists, and academics who are involved in research on Iran. After gaining access, the group has deployed mobile malware capable of tracking victim locations, recording phone conversations, accessing videos and images, and extracting entire SMS inboxes." Mandiant has tracked at least 30 operations carried out by APT42 across 14 countries since 2015, the total number of campaigns is likely higher. APT42 has displayed a preference for credential harvesting and the deployment of their Android surveillance malware. Recent campaigns have observed spear-phishing emails to harvest credentials. Lures used by the group involved impersonating an Oxford university vaccinologist, a British media organization METRO, and U.S media organizations to set up fake interviews. Mandiant has identified a connection between APT42 and APT35, stating "with moderate confidence that both APT35 and APT42 operate on behalf of the IRGC but originate from different missions and contracts or contractors based on substantial differences in their respective targeting patterns and tactics, techniques and procedures." Lastly, ransomware capabilities exist in APT42's arsenal as the group has been tied to ransomware activity using BitLocker.