Join the Webinar | Strong Protection Against Cyber Threats

Iranian Backed APT Group APT39: Chafer

Especially those who are after sensitive personal data of anti-Iranian institution employees APT39; chafer, REMIX KITTEN And COBALT HICKMAN It is known by names such as. The APT group, which carries out cyber espionage activities for the interests of Iran, has also targeted Turkey before. It is considered that APT39 used the Python payload called MechaFlounder in its attack against Turkey.

Who is APT39?

APT39 differs from other threat groups in that it is an APT group that focuses on capturing personal information of corporate personnel. Cobalt Hickman (APT39), a highly sophisticated threat actor, focuses more on data collection, acting in Iranian interests. It collects data on companies in its target sectors, especially with a pro-Iran attitude. It uses the personal data it collects as additional access vectors in its current operation or as a potential tool in a future attack.

Which Countries Support APT39?

Chafer, as its nickname suggests, is an Iranian-backed APT group. It has been actively carrying out operations since 2014, displaying a pro-Iran stance. The most striking and distinctive feature of the group is that it focuses on personal information, as mentioned in the "who is" section.

In particular, individuals and institutions that pose a danger to Iran or have any personal information that could be valuable if captured are targeted by the group.

What are APT39's Target Sectors?

Although APT39 has global targets, it is particularly focused on the Middle East. The group, which attacks Iran's interests in the Middle East, particularly targets the following sectors:

  • Travel industry and IT companies serving this industry
  • Telecommunications companies
  • Advanced technology industry

What Malware Does APT39 Use?

APT39 uses various backdoor software as well as tools and software developed for different purposes and used by security experts. Malware with different features is used by the group to ensure persistence in the target system or to jump from one system to another. Specifically, malware whose name is mentioned together with APT39 is POWBAT Various variants of the back door, SEAWEED And CACHEMONEY They are backdoor software called.

Malware used in different stages of the attacks carried out by APT39 are listed below.

  • ASPXSpy: It is used to ensure persistence on the infiltrated server.
  • Cadelspy: It is mostly used in the information gathering stage after infiltrating the target system. It has features such as keylogging, microphone listening, capturing copied clipboard data, and learning the devices and components connected to the infiltrated system.
  • CrackMapExec: It was used to detect existing domain users on the local network and to perform brute force attacks. It has features such as capturing user information (via SAM), listing the network configuration and other systems on the network.
  • MechaFlounder: It is used to run commands on the infiltrated system and transmit the captured data to the command and control (C2 - Command and Control) server.
  • Mimikatz: It has been used to extract user account information from memory, to obtain unauthorized access by manipulating this information, and to obtain previously used usernames and passwords from the cache of web browsers.
  • PsExec: It was preferred to run commands in the infiltrated system, access SMB shares, and move the tools used or planned to be used during the attack while moving horizontally.
  • pwdump: Again, like CrackMapExec, it was used to hijack user accounts from the SAM file.
  • Remexi: It has been used for purposes such as accessing network traffic, detecting applications running on the system, and running Windows commands. However, Remexi is also used for keylogging, instant screenshots and file and directory discovery.

What Are the Attack Vectors Used by APT39?

Like every APT group, APT39 uses similar vectors when attacking its targets. The attack vectors used constitute the characteristic features of APT39. The attack vectors commonly used in cyber attacks carried out by Chafer to date are given in the table below.


The table will be in the format shown in the image, the drive disrupts the structure.


Initial AccessT1190He sent requests that could cause errors to systems that receive data from the Internet and tried to cause confusion in the system.
T1566.001It infiltrated the target system by using personalized e-mail messages containing malicious attachments (spearphishing).
T1566.002It carried out phishing attacks using e-mail messages containing malicious files as well as messages containing malicious links.
T1078The victim used credentials of existing users, such as username and password, to gain access to the system.
ExecutionT1059It used special scripts created to reconnoitre the internal network.
T1059.001He used PowerShell to run malicious codes.
T1059.006It used tools specially developed with Python that scan the network.




Timed task commands were used to ensure persistence.
T1569.002It used system services to run tools such as RemCom, which is used to run remote commands.
T1024.001Used malicious links to perform spearphishing.
T1024.002He used malicious files to perform spearphishing.
PersistenceT1547.001After APT39 infiltrated the system, it added its malicious process, which allows it to run commands, to the "startup" folder, enabling it to run every time the system is started.
T1547.009Created or edited existing shortcuts that were configured with the service added to the startup folder.
T1136.001Local user accounts have been created to enable migration across the network and ensure permanence.
T1053It used scheduled tasks to ensure persistence.
T1505.003ANTAK and ASPXSPY webshells were preferred by the group.
T1078The group used the captured Outlook accounts for different purposes.
Privilege EscalationT1047.001Programs or services that will enable privilege elevation by the group have been added to the startup folder.
T1547.009Shortcuts have been modified to increase authority.
T1078The authorization upgrade was carried out by logging into the accounts of users with high rights.
Defense EvasionT1036.005An official McAfee file created by the APT group to bypass defense mechanisms and communicate with the command and control server. mfevtps.exe has been imitated.
T1027.002A modified version of Mimikatz by Remix Kitten is packaged using the obfuscation technique. Thus, anti-virus systems were bypassed.
T1078In order to bypass the defense mechanisms, it took over the accounts of official users who were registered in the system and were not detected as anomalies.
Credential AccessT1110To obtain group credentials Ncrack benefited from the tool called.
T1556He used tools that can read clipboard data (the area where copy-paste data is kept) to obtain user passwords.
T1056.001It used tools that could detect keyboard input to capture user information.
T1003The APT group used a modified version of Mimikatz to capture user data.
T1003.001In addition to Mimikatz, the group also used tools such as Windows Credential Editor and ProcDump to obtain credentials from LSASS memory.
DiscoveryT1046It used CrackMapExec and a special tool called BLUTETORCH to perform network scanning.
T1135APT39 leveraged CrackMapExec to detect network shares.
T1018The group used a special tool called nbtscan to detect other remote systems.
T1033To detect existing users in the system remix He used a tool called.
Lateral MovementT1021.001The APT group used the RDP service to move laterally and maintain permanence in the systems. In some cases rdpwinst

It has been observed that the session management tool called

T1021.002Used SMB for lateral movement.
T1021.004It used SSH to move between its targets.
CollectionT1560.001The group archived the captured data using WinRAR and 7-z to easily transfer it.
T1115Various tools have been used to capture clipboard data.
T1005The group used a special tool to steal files from the infiltrated system.
T1056.001It used tools that can detect keyboard input to collect data.
T1113APT39 used screenshot functionality to take a snapshot of the infiltrated system.
Command and ControlT1071.001The APT group used the HTTP protocol to communicate with the command and control server.
T1071.004The APT group used DNS to communicate with the command and control server.
T1105In order to move freely in the infiltrated system and steal data, special tools were downloaded to the target system using the C2 server.
T1090.001APT39 used a SOCK5 proxy and a specially developed proxy to move between compromised systems.
T1090.002It used various proxies to communicate with the C2 server.
T1102.002APT39 also used files uploaded to DropBox to communicate with C2.

IOC Information for APT39

Information about the malware belonging to APT39, URL addresses, IP addresses and more is provided below.

Attack Against Turkey with MechaFlounder

It was determined that a Python-based payload called MechaFlounder was used in the attack carried out by APT39 on turkiyebursları.gov[.]tr in February 2018. In this attack, an executable file was downloaded from the IP address Chafer 185.177.59[.]70.

Harmful activities were carried out by running the file called “lsass.exe”, which was downloaded via HTTP request from win10-update[.]com.

In summary,

Malicious IP Address: 185.177.59[.]70

Malicious Domain: win10-update[.]com

MechaFlounder Payload (SHA256) Hash: 0282b7705f13f9d9811b722f8d7ef8fef907bee2ef00bf8ec89df5e7d96d81ff

System Activities and AV Alerts That May Be Related to APT39

Malicious system activities and software associated with Chafer by Symantec are coded as follows:

  • Backdoor.Remexi Activity
  • Backdoor.Cadelspy Activity 2
  • Backdoor.Cadelspy
  • Backdoor.Remexi
  • Backdoor.Remexi.B

Domain Information Related to APT39

  • s224.win7-update[.]com
  • s5060.win7-update[.]com
  • s21.win7-update[.]com
  • wsus65432.win7-update[.]com

IP Addresses Associated with APT39

  • 107.191.62[.]45
  • 94.100.21[.]213
  • 89.38.97[.]112
  • 148.251.197[.]113
  • 83.142.230[.]113
  • 87.117.204[.]113
  • 89.38.97[.]115
  • 87.117.204[.]115
  • 185.22.172[.]40
  • 92.243.95[.]203
  • 91.218.114[.]204
  • 86.105.227[.]224
  • 91.218.114[.]225
  • 134.119.217[.]84

Malicious File Information Related to APT39

File TypeFile nameMD5 Hash
Fake Microsoft installerWindows-KB3101246.exe804460a4934947b5131ca79d9bd668cf
PowerShell scriptdntx.ps15cc9ba617a8c53ae7c5cc4d23aced59d
PowerShell scriptdnip.ps18132c61c0689dbcadf67b777f6acc9d9
PowerShell scriptnsExec.dlb38561661a7164e3bbb04edc3718fe89
Autoit scriptapp.au3263bc6861355553d7ff1e3848d661fb8


Categories Articles