Tamecat (Backdoor) – Malware

Overview

In March 2024, Mandiant identified a sample of TAMECAT, a PowerShell toehold capable of executing arbitrary PowerShell or C# content. TAMECAT is delivered by malicious macro documents, communicates with its command-and-control (C2) node via HTTP, and expects data from the C2 to be Base64 encoded. Mandiant previously observed TAMECAT being used in a large-scale APT42 spear-phishing campaign targeting individuals or entities employed by or affiliated with NGOs, governments, or intergovernmental organizations worldwide.

Targets

Credentials of journalists, researchers, and geopolitical entities in regions of interest to Iran. Individuals or entities employed by or affiliated with NGOs, government, or intergovernmental organizations around the world

How they operate

APT42 utilizes two custom backdoors named Nicecurl and Tamecat, each designed for specific functions within cyberespionage operations. The attack begins with emails from online personas posing as journalists, NGO representatives, or event organizers, sent from domains that “typosquat” (use similar URLs) to those of legitimate organizations. TAMECAT is delivered with decoy content, likely via spear phishing, providing APT42 operators with initial access to the targets. The backdoor offers a flexible code-execution interface, which can be used as a jumping-off point to deploy additional malware or manually execute commands on the device. TAMECAT is dropped by malicious macro documents, communicates with its command-and-control (C2) node via HTTP, and expects data from the C2 to be Base64 encoded. Execution begins with a small VBScript downloader that leverages Windows Management Instrumentation (WMI) to query anti-virus products running on the victim’s system. Depending on whether the script detects Windows Defender, different download commands and URLs are used.

References:

• Uncharmed: Untangling Iran’s APT42 Operations
• How to remove TAMECAT malware from infected computers