ATK35

ATK35 (aka: APT33 by Fireye) is an Iranian cyberespionage group operating since approximately 2013.

It is known to exploit fraudulent social media profiles to target individuals and organizations of interest through collecting credentials and infecting malware via an IRC-based variant of malware.

 

The breadth of the elaborate characters and fraudulent organizations created by ATK35 reveals that this adversary engages in a level of preparation and patience rarely seen with targeted intrusion efforts. This actor will also target third party service providers in order to compromise the organizations of interest.

 

ATK35 usually tries to access private emails and Facebook accounts, and sometimes establishes a foothold on victims' computers as a secondary focus.

 

The group's TTPs largely overlap with another group, ATK26 (aka Rocket Kitten), resulting in relationships that may not distinguish between the activities of the two groups.

 

References :

http://attack.mitre.org/wiki/Group/G0058

http://attack.mitre.org/wiki/Group/G0064

http://docs.google.com/spreadsheets/u/0/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml#

http://go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf

http://iranthreats.github.io/resources/macdownloader-macos-malware/

http://malpedia.caad.fkie.fraunhofer.de/actor/apt33

http://malpedia.caad.fkie.fraunhofer.de/actor/charming_kitten

http://malpedia.caad.fkie.fraunhofer.de/actor/magnallium

http://pastebin.com/SdYaPUwr

http://securelist.com/freezer-paper-around-free-meat/74503/

http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf

http://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html

http://www.reuters.com/article/iran-hackers/iranian-hackers-use-fake-facebook-accounts-to-spy-on-u-s-others-idUSL1N0OE2CU20140529

https://www.clearskysec.com/wp-content/uploads/2019/09/The-Kittens-Are-Back-in-Town-Charming-Kitten-2019.pdf