APT35

APT35 is a threat actor that specializes in collecting and leaking information from entities in the Middle East and the United States. Besides the conventional strategies of misleading domains and attachments, APT35 also makes notable use of hands-on social engineering and will employ con artists with fake social profiles for tricking its targets. Users in vulnerable sectors can protect themselves by scanning downloads from strangers with security software and blacklisting domains related to APT35's campaigns.

Corporate Phishing with a Little Extra Psychology

Although state-sponsored attacks like those of Iran's APT35 are long-noted for their use of phishing tactics and forgeries of digital notifications, this Iranian threat actor puts additional effort into its psychological manipulation. Along with employing all of the usual tricks for infecting victims' PCs and their valuable data, APT35 also sets up escalating phases of compromising the minds of the users – just the same as the hardware. Adding another layer of betrayal to the tactic, APT35 also, pointedly, targets workers' private-life accounts, instead of company ones.

Although legal action by Microsoft and other entities in the spring of 2019 shut down many of APT35's phishing domains (bearing URLs referencing Microsoft and similarly-reputable organizations), the group remains operational. Their SOP isolates employees for target companies in entertainment, the military, diplomatic embassies, etc., and contacts their recreational and home social media accounts. Through the con artist, backed by a fully-fledged social media profiles and related content, they encourage victims into providing more information gradually, interacting with sites that collect their credentials and having them click corrupted attachments.

Other areas of APT35's campaigns depend on more-traditional techniques. They acquire new targets by harvesting the contact lists from previous ones and utilize spyware that commits keylogging, screen-grabbing, and other data-collecting attacks. The latter disguises itself as being a native Windows component inside of the Registry, and malware experts note no significant symptoms related to this 'Collector.'

The Precautions that Work Equally Well for State-Sponsored or Small-Time Hackers

APT35, also known by aliases as colorful as Charming Kitten, Phosphorus, and Newscaster Team, attacks a generous range of organizations. Past campaigns include, not just government-affiliated victims, but even entertainment media – as one particularly noteworthy leak of a Game of Thrones script shows off so well. As already stated, they also make regular use of both traditional infection vectors and ones that require close, personal attention by hackers faking their identities, with all the appropriate content for a complete 'Web persona.'

The infrastructure that APT35 uses includes domains pretending that they're parts of Outlook, Yahoo, Microsoft, and LinkedIn services, among others. Users can protect themselves by keeping live Web-browsing protection for auto-blocking corrupted domains and monitoring Web addresses for the traditional signs of a tactic – such as an unusual suffix on the address (like 'bid'). They also should avoid enabling macros on documents or spreadsheets and install security updates to Word, Adobe's PDF Reader, and other pertinent software.

As usual, malware researchers recommend disinfecting PCs with dedicated anti-malware tools that can handle removing APT35's Collector spyware, and similar threats, automatically. This solution does not, however, undo the loss of credentials and other data.

The extent of APT35's willingness to put the 'human' in its human-resource hacking team is impressive, even by the standards of a state-funded group. Letting down your guard just because of a social media profile is a mistake that many employees keep making – to the benefit of spies from all nations.