Skip to main content
Introducing Polarity Intel Edition: Streamlining Intel Distribution for SecOps
Polarity Intel Edition
Request a Demo

Research Roundup: APT39 Adversaries

Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post requires a ThreatConnect account.

In this edition, we cover:

  • APT39 / Remix Kitten / Chafer
  • Suspicious Domains using ITitch and MivoCloud
  • Mustang Panda PlugX

Roundup Highlight: APT39 Adversaries

Our highlight in this Roundup is Threat APT39 / Remix Kitten / Chafer. APT39 / Remix Kitten / Chafer is a threat actor group with a likely nexus to the Islamic Republic of Iran that has been active since at least 2014. The group has historically targeted the telecommunications and travel sectors. Previous reporting indicates APT39 / Remix Kitten / Chafer has been known to conduct operations to steal personal information likely in an effort to support influence operations and monitoring efforts.

On September 17, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on APT39, 45 associated individuals, and one front company for employing “a years-long malware campaign that targeted Iranian dissidents, journalists, and international companies in the travel sector.” The APT39 Threat has been updated with ATT&CK tags and associations to 45 new Adversaries to reflect the above in ThreatConnect.

ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.

  • 20200923A: Suspicious ITitch Registered Domains Hosted on MivoCloud ThreatConnect Research identified a series of suspicious, seemingly random domains that were registered through ITitch starting in late August 2020. The domains themselves don’t resolve, but their www subdomains resolve to probable dedicated servers in MivoCloud IP space. All these domains were registered using a Protonmail email address per their start of authority record, and many of the email addresses contain strings related to the registered domain.
  • 20200921A: File Matching YARA Rule Associated to Mustang Panda PlugX ThreatConnect Research identified a Mustang Panda PlugX binary and extracted Command and Control locations from the embedded configuration.
  • 20200919A: File Matching YARA Rule Associated to Mustang Panda PlugX ThreatConnect Research identified a Mustang Panda PlugX binary and extracted Command and Control locations from the embedded configuration.

Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).

  • Daily Emotet IoCs and Notes for 09/21/20 (Source: https://paste.cryptolaemus.com/emotet/2020/09/21/emotet-malware-IoCs_09-21-20.html)
  • Emotet C2 Deltas from 2020/09/21 as of 07:20EDT or 11:20UTC (Source: https://paste.cryptolaemus.com/emotet/2020/09/21/emotet-C2-Deltas-1120-0720_09-21-20.html)
  • Threat Roundup for September 11 to September 18 (Source: https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html)
  • Egregor (Source: https://id-ransomware.blogspot.com/2020/09/egregor-ransomware.html)
About the Author

ThreatConnect

By operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security operations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy and value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the ThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a proactive force in protecting the enterprise. Learn more at www.threatconnect.com.