Insights, news, education and announcements from PolySwarm

APT42 Targets US Presidential Campaigns and Israel in Phishing Campaign

Written by The Hivemind | Aug 23, 2024 5:05:04 PM

Related Families: NewsTerminal, OfficeFuel, FuelDump, Gorble
Verticals Targeted: Government, Military, Education, Aerospace

Executive Summary

Iran nexus threat actor group APT42 was recently observed targeting entities in the US and Israel in a phishing campaign. Targets included entities in the government, military, education, and aerospace verticals, as well as individuals associated with the 2024 US Presidential candidates.

Key Takeaways

  • Iran nexus threat actor group APT42 was recently observed targeting entities in the US and Israel in a phishing campaign.
  • Targets included entities in the government, military, education, and aerospace verticals, as well as individuals associated with the 2024 US Presidential candidates. 
  • APT42, also known as CALANQUE and UNC788, has been linked to Iran’s Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). 

The Campaign

Iran nexus threat actor group APT42 was recently observed targeting entities in the US and Israel in a phishing campaign. Google’s Threat Analysis Group (TAG) recently reported on this activity. 

APT42 has been targeting high-profile individuals in the US and Israel. Targeted entities include government officials, political campaigns, diplomats, think tanks, and NGOs. The group has also targeted academic institutions associated with foreign policy and individuals formerly affiliated with the Israeli military. Since April 2024, APT42 has stepped up its targeting of entities in Israel, focusing on individuals associated with the government, military, aerospace, and academics. 

APT42 was observed attempting to interfere with the 2020 elections and has reportedly attempted to target accounts associated with both major candidates in the 2024 US Presidential election as well. In May and June 2024, individuals in both the Trump and Biden campaigns were targeted by APT42’s phishing, in an attempt to harvest login credentials. More recently, the group has continued to target individuals affiliated with the Trump and Harris campaigns. 

In the campaign, APT42 has used a variety of tactics, including malware, phishing pages, and malicious redirects. They often abuse Google services, including Sites, Drive, and Gmail, as well as Dropbox and OneDrive. Google TAG noted the threat actors created multiple Google Sites pages masquerading as a petition from Jewish Agency for Israel in favor of a cease-fire. The threat actors have used social engineering, masquerading as a journalist to engage with potential targets via email. In June 2024, the threat actors used a PDF attachment with the subject “Project Aladdin” as a lure. The PDF contained a shortened URL that redirected victims to a phishing page, in an attempt to steal Google login credentials. 

APT42 is known to use GCollection/LCollection/YCollection to harvest Google, Hotmail, and Yahoo credentials. The group first used this phishing toolkit in January 2023. They have also used DWP, a browser-in-the-browser phishing toolkit. Other tools recently used by APT42 include NewsTerminal, OfficeFuel, FuelDump, and Gorble.

Who is APT42?

Iran nexus threat actor group APT42, also known as CALANQUE and UNC788, has been linked to Iran’s Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). APT42 has been active since at least 2015 and is known to engage in spearphishing and surveillance operations, as well as credential harvesting. Their activities are in alignment with Iran’s intelligence collection requirements. 

Verticals targeted by APT42 in the past included nonprofits, education, government, healthcare, pharmaceuticals, legal and professional services, and media and entertainment. Most of the group’s targets are located in the US, Australia, Europe, and the Middle East. APT42’s custom backdoors include NiceCurl and TameCat. Some of APT42’s activities overlap with another Iran nexus threat actor, Charming Kitten. 

IOCs

PolySwarm has multiple samples associated with APT42 activity. 

 

82ae2eb470a5a16ca39ec84b387294eaa3ae82e5ada4b252470c1281e1f31c0a

89c1d1b61d7f863f8a651726e29f2ae3de7958f36b49a756069021817947d06c

 

You can use the following CLI command to search for all APT42 samples in our portal:

$ polyswarm link list -t APT42

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.