SYMBOLCOMMON_NAMEaka. SYNONYMS

APT39  (Back to overview)

aka: APT 39, Chafer, REMIX KITTEN, COBALT HICKMAN

APT39 was created to bring together previous activities and methods used by this actor, and its activities largely align with a group publicly referred to as "Chafer." However, there are differences in what has been publicly reported due to the variances in how organizations track activity. APT39 primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39's targeting scope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.


Associated Families
php.antak ps1.oilrig win.remexi

References
2020-05-21BitdefenderLiviu Arsene, Bogdan Rusu
@techreport{arsene:20200521:iranian:d9e1468, author = {Liviu Arsene and Bogdan Rusu}, title = {{Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia}}, date = {2020-05-21}, institution = {Bitdefender}, url = {https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf}, language = {English}, urldate = {2020-05-23} } Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia
MimiKatz Remexi
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:c242388, author = {SecureWorks}, title = {{COBALT HICKMAN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-hickman}, language = {English}, urldate = {2020-05-23} } COBALT HICKMAN
MimiKatz Remexi APT39
2019-03-04Palo Alto Networks Unit 42Robert Falcone, Brittany Ash
@online{falcone:20190304:new:5bf1cea, author = {Robert Falcone and Brittany Ash}, title = {{New Python-Based Payload MechaFlounder Used by Chafer}}, date = {2019-03-04}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/}, language = {English}, urldate = {2019-12-24} } New Python-Based Payload MechaFlounder Used by Chafer
APT39
2019-02-14Twitter (@QW5kcmV3)Andrew Thompson
@online{thompson:20190214:unpacking:1ff2299, author = {Andrew Thompson}, title = {{Tweet on unpacking Remexi payload}}, date = {2019-02-14}, organization = {Twitter (@QW5kcmV3)}, url = {https://twitter.com/QW5kcmV3/status/1095833216605401088}, language = {English}, urldate = {2020-01-27} } Tweet on unpacking Remexi payload
Remexi
2019-01-30Kaspersky LabsDenis Legezo
@online{legezo:20190130:chafer:bb3ce4d, author = {Denis Legezo}, title = {{Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities}}, date = {2019-01-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/chafer-used-remexi-malware/89538/}, language = {English}, urldate = {2019-12-20} } Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities
Remexi APT39
2019-01-29FireEyeSarah Hawley, Ben Read, Cristiana Brafman-Kittner, Nalani Fraser, Andrew Thompson, Yuri Rozhansky, Sanaz Yashar
@online{hawley:20190129:apt39:926a2a1, author = {Sarah Hawley and Ben Read and Cristiana Brafman-Kittner and Nalani Fraser and Andrew Thompson and Yuri Rozhansky and Sanaz Yashar}, title = {{APT39: An Iranian Cyber Espionage Group Focused on Personal Information}}, date = {2019-01-29}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html}, language = {English}, urldate = {2019-12-20} } APT39: An Iranian Cyber Espionage Group Focused on Personal Information
APT39
2019MITREMITRE ATT&CK
@online{attck:2019:apt39:573abf3, author = {MITRE ATT&CK}, title = {{Group description: APT39}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0087/}, language = {English}, urldate = {2019-12-20} } Group description: APT39
APT39
2018-12-17Twitter (@MJDutch)Justin
@online{justin:20181217:apt39:6e13cad, author = {Justin}, title = {{Tweet on APT39}}, date = {2018-12-17}, organization = {Twitter (@MJDutch)}, url = {https://twitter.com/MJDutch/status/1074820959784321026?s=19}, language = {English}, urldate = {2020-01-08} } Tweet on APT39
OilRig
2018-10-01FireEyeRegina Elwell, Katie Nickels
@techreport{elwell:20181001:attcking:3c6d888, author = {Regina Elwell and Katie Nickels}, title = {{ATT&CKing FIN7}}, date = {2018-10-01}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf}, language = {English}, urldate = {2020-04-15} } ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN SocksBot
2018-03-25Vitali Kremez BlogVitali Kremez
@online{kremez:20180325:lets:070366d, author = {Vitali Kremez}, title = {{Let's Learn: Internals of Iranian-Based Threat Group "Chafer" Malware: Autoit and PowerShell Persistence}}, date = {2018-03-25}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/03/investigating-iranian-threat-group.html}, language = {English}, urldate = {2019-10-13} } Let's Learn: Internals of Iranian-Based Threat Group "Chafer" Malware: Autoit and PowerShell Persistence
OilRig
2018-02-28SymantecSecurity Response Attack Investigation Team
@online{team:20180228:chafer:552bafb, author = {Security Response Attack Investigation Team}, title = {{Chafer: Latest Attacks Reveal Heightened Ambitions}}, date = {2018-02-28}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions}, language = {English}, urldate = {2020-01-09} } Chafer: Latest Attacks Reveal Heightened Ambitions
Remexi APT39
2018-02-28SymantecCritical Attack Discovery and Intelligence Team
@online{team:20180228:chafer:5b5b77b, author = {Critical Attack Discovery and Intelligence Team}, title = {{Chafer: Latest Attacks Reveal Heightened Ambitions}}, date = {2018-02-28}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions}, language = {English}, urldate = {2020-04-21} } Chafer: Latest Attacks Reveal Heightened Ambitions
MimiKatz Remexi
2015-12-07SymantecSymantec Security Response
@online{response:20151207:iranbased:24872ed, author = {Symantec Security Response}, title = {{Iran-based attackers use back door threats to spy on Middle Eastern targets}}, date = {2015-12-07}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets}, language = {English}, urldate = {2020-01-09} } Iran-based attackers use back door threats to spy on Middle Eastern targets
APT39 Cadelle
2015-12-07SymantecSecurity Response
@online{response:20151207:iranbased:5e7136f, author = {Security Response}, title = {{Iran-based attackers use back door threats to spy on Middle Eastern targets}}, date = {2015-12-07}, organization = {Symantec}, url = {https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets}, language = {English}, urldate = {2020-04-21} } Iran-based attackers use back door threats to spy on Middle Eastern targets
CadelSpy Remexi Cadelle
2015-12-07SymantecSymantec
@techreport{symantec:20151207:backdoorcadelspy:6a40e51, author = {Symantec}, title = {{Backdoor.Cadelspy and Backdoor.Remexi: indicators of compromise}}, date = {2015-12-07}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf}, language = {English}, urldate = {2020-01-06} } Backdoor.Cadelspy and Backdoor.Remexi: indicators of compromise
CadelSpy Remexi
2015-08-19Github (samratashok)Nikil Mittal
@online{mittal:20150819:antak:6b613d2, author = {Nikil Mittal}, title = {{Antak WebShell}}, date = {2015-08-19}, organization = {Github (samratashok)}, url = {https://github.com/samratashok/nishang/blob/master/Antak-WebShell/antak.aspx}, language = {English}, urldate = {2019-12-18} } Antak WebShell
ANTAK
2014-06-04Lab of a Penetration TesterNikhil Mittal
@online{mittal:20140604:introducing:48a5fec, author = {Nikhil Mittal}, title = {{Introducing Antak - A webshell which utilizes powershell}}, date = {2014-06-04}, organization = {Lab of a Penetration Tester}, url = {http://www.labofapenetrationtester.com/2014/06/introducing-antak.html}, language = {English}, urldate = {2020-01-08} } Introducing Antak - A webshell which utilizes powershell
ANTAK

Credits: MISP Project