Threats Feed|APT42|Last Updated 02/10/2024|AuthorCertfa Radar|Publish Date14/08/2024

APT42 Targets Israeli and U.S. High-Profile Sectors with Sophisticated Phishing Campaigns

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Malware,Phishing,Spear Phishing
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

APT42 has intensified its phishing campaigns against Israel and the U.S., targeting high-profile individuals in the military, defense, diplomatic, academic, and NGO sectors. The group uses spearphishing emails, typosquatting domains, and social engineering tactics to harvest credentials and gain unauthorized access to accounts. Recent campaigns included the use of benign PDF attachments and phishing kits capable of bypassing multi-factor authentication.

Reference and Credit: Google - August 2024

Iranian backed group steps up phishing campaigns against Israel, U.S.

Detected Targets

TypeDescriptionConfidence
CaseBrookings Institution
The Brookings Institution, often stylized as Brookings, is an American think tank that conducts research and education in the social sciences, primarily in economics (and tax policy), metropolitan policy, governance, foreign policy, global economy, and economic development. Brookings Institution has been targeted by APT42 with abusive purposes.
Verified
CaseJewish Agency for Israel
The Jewish Agency for Israel, formerly known as the Jewish Agency for Palestine, is the largest Jewish non-profit organization in the world. It was established in 1929 as the operative branch of the World Zionist Organization. Jewish Agency for Israel has been targeted by APT42 with abusive purposes.
Verified
CaseWashington Institute for Near East Policy
The Washington Institute for Near East Policy is a pro-Israel American think tank based in Washington, D.C., focused on the foreign policy of the United States in the Near East. Washington Institute for Near East Policy has been targeted by APT42 with abusive purposes.
Verified
SectorGovernment Agencies and Services
Verified
SectorMilitary
Verified
SectorPolitical
Verified
SectorResearchers
Verified
RegionIran
Verified
RegionIsrael
Verified
RegionIsrael
Verified
RegionUnited Kingdom
Verified
RegionUnited States
Verified

Extracted IOCs

  • accredit-navigation[.]online
  • brookings[.]email
  • checking-paneling[.]live
  • check-pabnel-status[.]live
  • click-choose-figured[.]cfd
  • n9[.]cl
  • panel-short-check[.]live
  • s3api[.]shop
  • short-ion-per[.]live
  • smaaaal[.]cfd
  • understandingthewar[.]org
  • firebasestorage.googleapis[.]com
  • meetroomonlin1925.w3spaces[.]com
  • sharedrive.webredirect[.]org
  • visioneditor.loseyourip[.]com
  • 0180f4f29c550aa1ffaa21af51711b29de99fb1d7c932d008a0e9356ae8a7d60
  • 33a61ff123713da26f45b399a9828e29ad25fbda7e8994c954d714375ef92156
  • 4ac088bf25d153ec2b9402377695b15a28019dc8087d98bd34e10fed3424125f
  • 82ae2eb470a5a16ca39ec84b387294eaa3ae82e5ada4b252470c1281e1f31c0a
  • 89c1d1b61d7f863f8a651726e29f2ae3de7958f36b49a756069021817947d06c
  • baac058ddfc96c8aea8c0057077505f0ad3ff20311d999886fed549924404849
  • bc2597ce09987022ff0498c6710a9b51a1a47ed8082ac044be2838b384157527
  • c3486133783379e13ed37c45dc6645cbee4c1c6e62e7988722931eef99c8eaf3
  • c67cd544a112cab1bb75b3c44df4caf2045ef0af51de9ece11261d6c504add32
  • f83e2b3be2e6db20806a4b9b216edc7508fa81ce60bf59436d53d3ae435b6060
  • 49[.]13.194.118
  • 91[.]107.150.184
  • hxxps://checking-paneling[.]live/aliasauthg/autoref/vnsx6c2m
  • hxxps://checking-paneling[.]live/aliasauthg/password
  • hxxps://check-pabnel-status[.]live/gcollection/password
  • hxxps://check-pabnel-status[.]live/gcollection/ref/cklipwam
  • hxxps://check-pabnel-status[.]live/lcollection/password
  • hxxps://check-pabnel-status[.]live/lcollection/ref/f53oqqke
  • hxxps://click-choose-figured[.]cfd/gallery/password
  • hxxps://click-choose-figured[.]cfd/gallery/ref/fsaem5gg
  • hxxps://firebasestorage.googleapis[.]com/v0/b/share-box-5f395.appspot.com/o/onedrive-qrty45.html
  • hxxps://meetroomonlin1925.w3spaces[.]com/
  • hxxps://n9[.]cl/4xgro
  • hxxps://panel-short-check[.]live/phyfkfqx
  • hxxps://panel-short-check[.]live/zzqt3lyd
  • hxxps://s3api[.]shop/api/
  • hxxps://sharedrive.webredirect[.]org/khn/shoagza/cgnt/dmpav/kvvhk
  • hxxps://short-ion-per[.]live/08efnz1
  • hxxps://smaaaal[.]cfd/wp59tqku
  • hxxps://visioneditor.loseyourip[.]com
download

Tip: 45 related IOCs (2 IP, 15 domain, 18 URL, 0 email, 10 file hash) to this threat have been found.

Overlaps

GreenCharlieGreenCharlie Targets US Political Campaigns with Advanced Malware and Phishing

Source: Recorded Future - August 2024

Detection (three cases): 33a61ff123713da26f45b399a9828e29ad25fbda7e8994c954d714375ef92156, 4ac088bf25d153ec2b9402377695b15a28019dc8087d98bd34e10fed3424125f, c3486133783379e13ed37c45dc6645cbee4c1c6e62e7988722931eef99c8eaf3

TA453TA453 Targets Jewish Religious Leader with Sophisticated BlackSmith Malware

Source: Proofpoint - August 2024

Detection (one case): understandingthewar[.]org

APT42APT42: Iranian Cyber Espionage Campaign Targets Global NGO and Media Sectors

Source: Google Cloud - May 2024

Detection (two cases): check-pabnel-status[.]live, panel-short-check[.]live

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
APT42
View APT42's Insights