APT35, also known as Charming Kitten, and Phosphorus, is an Iranian state-sponsored cyber-espionage adversary that has been active since at least 2014.
Known for conducting long-term, resource-intensive operations to collect strategic intelligence, APT35’s motivations are believed to be closely tied to advancing Iran’s strategic interests and gathering intelligence on geopolitical rivals. The group has been linked to numerous cyber-espionage campaigns targeting intellectual property theft, government network compromises, and conducting reconnaissance for potential future attacks.
The adversary’s primary focus relies on government entities, academic institutions, and private organizations, with a particular emphasis on those based in the United States and the Middle East. Their targets included North American, Western European, and Middle Eastern military, diplomatic, and government personnel, as well as organizations within the media, energy, defense industrial base, engineering, business services, and telecommunications sectors.
While spearphishing remains one of the most common methods of access for this adversary, APT35 has expanded its tactics to include using compromised accounts with harvested credentials, strategic web compromises, and password spray attacks against externally facing web applications.
AttackIQ has released a new attack graph that aims to emulate activities observed by the politically and military-motivated state-sponsored Iranian-based adversary APT35, who are known to target multiple industries primarily in Europe, the Middle East, and North America.
Validating your security program performance against these behaviors is vital to reducing risk. By using this new attack graph in the AttackIQ Security Optimization Platform, security teams will be able to:
- Evaluate the performance of security controls against a highly sophisticated, long-standing adversary.
- Assess your security posture with respect to the Tactics, Techniques, and Procedures (TTPs) that APT35 has successfully employed.
- Continuously validate detection and prevention channels against a highly sophisticated and espionage-motivated threat.
APT35 – 2021-12 – Microsoft Exchange ProxyShell Exploitation Ends in Reconnaissance Campaign
In December 2021, researchers observed APT35 successfully exploiting Microsoft Exchange ProxyShell vulnerabilities in order to gain initial access and execute code by deploying multiple web shells. During this activity, APT35 was observed exploiting 3 different vulnerabilities, namely CVE-2021-34473, CVE-2023-34523, and CVE-2021-31207.
This activity, which occurred in two bursts within a 3-day time frame, began with the deployment of malicious web shells and the disabling of security services. Subsequently, the adversary established two methods of persistence, one being through scheduled tasks, and the second through the creation of local accounts, which were added to the “Remote Desktop Users” and “Local Administrators Users” groups.
Once alternate ways for re-entry to the targeted host were established, the adversary used Windows native programs such as net and ipconfig to enumerate information pertaining to the environment. Then, it disabled Local Security Authority (LSA) protection, enabled WDigest authentication for access to plain text credentials later, dumped the Local Security Authority Subsystem Service (LSASS) process memory, and downloaded the results via the web shell.
This attack graph begins immediately after the successful deployment of the web shell used by APT35 for command execution. At this stage, the adversary downloads and executes two files. The first, wininet.xml, is used to create a scheduled task, which is used to ensure the persistence of the second file, wininet.bat, a batch file used to iterate through the execution of an additional file used later in the infection chain.
Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious content.
This stage of the attack begins with obtaining persistence by creating a scheduled task. Subsequently, APT35 will seek to modify Windows Defender preferences in order to disable its analysis and detection capabilities.
Scheduled Task/Job: Scheduled Task (T1053.005): This scenario creates a new scheduled task using the schtasks
utility.
Impair Defenses: Disable or Modify Tools (T1562.001): This scenario uses PowerShell to set the DisableBehaviorMonitoring
and SevereThreatDefaultAction
registry keys that will disable Microsoft Defender, as well as use the Add-MpPreference
cmdlet to add the C:\Windows
path to the exclusion list in Microsoft Defender.
Modify Registry (T1112): This scenario modifies three registry values to disable Windows Defender from automatically acting against malicious files by modifying the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
registry key.
At this stage, APT35 deploys dllhost.exe, a binary written in Golang used to discover information about the system domain through Windows Management Instrumentation (WMI). Next, the adversary deploys user.exe, a tool used to modify the DefaultAccount user, which is later added to the “Administrators” and “Remote Desktop Users” groups in order to establish a second persistence mechanism on the compromised system.
System Information Discovery (T1082): This scenario uses a Windows Management Instrumentation Command (WMIC) to collect the domain name of the target system by executing wmic computersystem get domain
.
Account Manipulation (T1098): The actors create and enable an account to enable persistence. This scenario adds the local DefaultAccount
account to the Administrators
and Remote Desktop Users
group.
The next stage of the attack is focused on the discovery of the local environment with the adversary seeking to collect relevant system information. During this stage, the adversary obtains information such as hostname, network configuration, system owner and users, account discovery, and domain controller.
System Information Discovery (T1082): The native hostname
command is used to get the infected host’s computer name from the compromised system.
System Network Configuration Discovery (T1016): The network configuration of the asset is collected using standard Windows utilities like ipconfig
, arp
, route
, net use
and netstat
.
System Owner/User Discovery (T1033): This scenario executes the native query user
and whoami
commands to receive details of the running user account.
Account Discovery: Local Account (T1087.001): The native net user
command is executed to get a list of local accounts.
Command and Scripting Interpreter: PowerShell (T1059.001): This scenario executes the PowerShell cmdlet Get-WMIObject Win32_NTDomain
to retrieve Domain Controller information.
In the last stage of the attack, APT35 will seek to modify the Windows Firewall in order to allow remote RDP traffic. Next, it will disable Local Security Authority (LSA) protection and enable WDigest authentication, which enforces the storage of credentials in plaintext on future logins. Finally, APT35 will attempt to dump the Local Security Authority Subsystem Service (LSASS) process, which will then be exfiltrated via HTTP POST requests.
Impair Defenses: Disable or Modify System Firewall (T1562.004): Remote Desktop may not be enabled by default through the local system firewall. The threat actors can create new firewall rules to open up ports for local and remote access using the netsh advfirewall
utility. This scenario opens local port 3389
for inbound access.
Impair Defenses: (T1562): This set of scenarios disable the Local Security Authority (LSA) Protection and enable WDigest authentication, by modifying the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RunAsPPL
and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential
registry keys.
OS Credential Dumping: LSASS Memory (T1003.001): Uses rundll32.exe
with comsvcs.dll
to call the MiniDump
export that will dump the LSASS
process memory to disk. This process contains a variety of credential materials and can passed to additional dumping tools to extract credentials.
Exfiltration Over C2 Channel (T1041): Files are sent to an AttackIQ controlled server using HTTP POST
requests.
Detection and Mitigation Opportunities
With so many different techniques being used by threat actors, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.
1. OS Credential Dumping: LSASS Memory (001)
APT35, as well as other adversaries, may attempt to extract user and credential information from the Local Security Authority Subsystem Service (LSASS) process, or from the Security Account Manager (SAM) database.
1a. Detection
Search for executions of procdump that attempt to access the LSASS process.
Process Name == (procdump)
Command Line CONTAINS (‘lsass’)
Search for executions of reg.exe attempting to save the SAM registry hive.
Process Name == (reg.exe)
Command Line CONTAINS (‘reg save hklm\sam C:\WINDOWS\TEMP\sam’)
1b. Mitigation
MITRE ATT&CK recommends the following mitigation recommendations:
- M1028 – Operating System Configuration
- M1027 – Password Policies
- M1026 – Privileged Account Management
- M1017 – User Training
- M1040 – Behavior Prevention on Endpoint
- M1043 – Credential Access Protection
- M1025 – Privileged Process Integrity
2. Exfiltration Over C2 Channel (T1041)
This attack results in the immediate exfiltration of sensitive data from the infected host. IDS/IPS and DLP solutions are well suited for detecting and preventing sensitive files from being sent to a suspicious external host.
2a. Detection
The data is being exfiltrated without any throttling or additional encoding or encryption from the backdoor. All data is being sent via HTTP POSTs in plain text and therefore should be easier to detect using Data Loss Prevention controls.
Additionally, since these requests are not throttled, network traffic can be monitored for anomalous traffic flow patterns that can identify single systems, typically client assets that are sending out significant amounts of data.
2b. Mitigation
MITRE ATT&CK has the following mitigation recommendations:
Wrap-up
In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against a highly prolific and sophisticated adversary. With data generated from continuous testing and use of these attack graphs, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.
AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.