Threats Feed|APT39|Last Updated 02/10/2024|AuthorCertfa Radar|Publish Date17/09/2020

Iranian APT39 Targets Global Sectors with Sophisticated Malware Campaign

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Backdoor,Malware
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

Rana Intelligence Computing Company (APT39) is an Iranian front group for the Ministry of Intelligence and Security (MOIS) that conducts cyber operations in Asia, Africa, Europe and North America. Its primary targets include the travel, telecommunications, hospitality, academic, and government sectors. Rana used malware delivered via spearphishing, using Visual Basic, PowerShell, AutoIt scripts and BITS malware to steal data, track individuals and maintain persistence. Their campaign targeted over 15 US companies, using scheduled tasks, encryption and obfuscation techniques to evade detection. Rana also deployed Android malware with root access capabilities for C2 communications, audio recording, and photo capture.

Reference and Credit: FBI - September 2020

FBI Releases Cybersecurity Advisory on Previously Undisclosed Iranian Malware Used to Monitor Dissidents and Travel and Telecommunications Companies

Detected Targets

TypeDescriptionConfidence
SectorDissident
Verified
SectorGovernment Agencies and Services
Verified
SectorJournalists
Verified
SectorTourism
Verified
SectorTelecommunication
Verified
SectorUniversity
Verified
RegionIran
Verified
RegionUnited States
Verified
RegionMiddle East Countries
High
RegionEuropean Countries
High

Extracted IOCs

  • saveingone[.]com
  • 0d6d385354584264e2b37ff3a199ea04
  • 2f01092e9cd49448b0de7da48e545682
  • 3153abb3ee1acea396b0f7b77c0162c9
  • 3f3f39bacfe115df5b55c9ab06b93aeb
  • 426351383dfe8f88a0959a9d5e8c43c7
  • 43124f6d418b086f3107a8cb708c3d2b
  • 45045fa9d428f29e8a3a988048e3aff1
  • 46506fa669ec116da3d967c36eab7ba7
  • 486aa8849c173450911f886116f4b5d6
  • 4d8e2fdb16877f693d8e90410f90a164
  • 50ded657ff5a1c80d736fe3b80beb87f
  • 54c166c313c684eaa54c0c861cc34987
  • 59c2c1c6451417f054efaee32416c652
  • 6269e8ae9d86c648c15e41c7d89509ab
  • 66cb23c223ec4d78d683292d1b928fbf
  • 8f848b67af0d6ad3dd3419c9d11c28c1
  • 91e1793bd5f3f274ddb22b47662cb860
  • 9e98ecf93ca86751dbdb7049f6d24e9b
  • 9f7c280b20d021f0a0984d1ad0aeba41
  • b15196f34a69e6579532c69fefad7ac6
  • ce456b20f6cb4d5d74f00d976e2e7a91
  • d363ecffbe6a0a62546051fc383399f4
  • d661d2dd1c28efd4b4f7c9c70f763354
  • dbc67d46cb7b6aa7406c979b248421c4
  • de8986682ab25d98448e688506250b94
  • e169c4d3430c8342d809055dc5f3373e
  • e998fa518523ccc092c4167718b069cb
  • eee655c5522267d63314a0b20162d619
  • f3d2c6084f09433a87f248726de288e0
  • fc105956b5b2d33411b2c0e362abb6b3
  • fcc61b3a0277c47748a185dccccad5d8
  • 0c23f62ba98ebfa2c062c485e5704f193909e421
  • a1481b251328b50d268b815debd614f539039e6e7012c90b66daee717712d524
  • 185[.]165.116.47
download

Tip: 35 related IOCs (1 IP, 1 domain, 0 URL, 0 email, 33 file hash) to this threat have been found.

About Affiliation
APT39
View APT39's Insights