ANTAK

ANTAK is a hacking tool that is part of the toolkit used by an Iranian cyber espionage criminal group that has been given the name APT39 by cybersecurity experts. Apart from the ANTAK web shell, the APT39 group utilizes the services of multiple other backdoors, info stealers, keyloggers, and remote access Trojans that would allow them to collect valuable information and files from compromised servers and computers. A large portion of APT39’s targets are companies in the telecommunications and travel field, but they have also been involved in attacks against government entities so that it would appear that they have a rather broad range of targets.

The ANTAK is a Web shell that is written in ASP.net and allows attackers to send PowerShell commands to the remote computer. This means that before ANTAK can be used, the attackers must exploit a vulnerability in their target’s defenses and plant the Web shell on an Internet-connected system successfully. If this task is accomplished, the ANTAK web shell can then be accessed via any Web browser – the attackers have password-protected the active copies of the ANTAK Web shell so that no one else but them would be able to access it.

Unfortunately, having the ANTAK Web shell on a server means that the attackers have endless possibilities. Since it allows them to execute PowerShell commands on the remote computer, they can do just about anything – upload or download files, manage the file system, implant additional malware, browse directories and processes, manage software, etc. Of course, a properly configured Web server would limit ANTAK’s capabilities severely, but the attackers would still have plenty of opportunities to cause mayhem.