Iranian APT33 Targets US Firms with Destructive Malware

itman · Sep 22, 2017

The Iranian group known as APT33 is believed to be behind a cyberespionage campaign targeting aerospace, petrochemical and energy sector firms located in the United States, Saudi Arabia and South Korea.

The group’s latest attack leverages a dropper called DropShot that is tied to the StoneDrill wiper malware—a variant of the infamous Shamoon 2, according to a report released Wednesday by FireEye.

The malware is being distributed via spear phishing campaigns that includes advertisements for jobs at Saudi Arabian aviation companies and Western organizations, researchers said. Emails include recruitment themed lures that contain links to malicious HTML application (.hta) files, researchers said.

“The .hta files contained job descriptions and links to legitimate job postings on popular employment websites that would be relevant to the targeted individuals,” researchers said. “Unbeknownst to the user, the .hta file also contained embedded code that automatically downloaded a custom APT33 backdoor (TurnedUp).”

Links in emails used spoofed domains for firms Boeing, Alsalam Aircraft Company, Northrop Grumman Aviation Arabia and Vinnell Arabia. Many of the victims who clicked on the link inadvertently downloaded DropShot.
Click to expand...

https://threatpost.com/iranian-apt33-targets-us-firms-with-destructive-malware/128074/

guest · Mar 27, 2019

APT33:
Elfin espionage group is focused on Saudi, U.S. organizations, Symantec says
March 27, 2019
https://www.cyberscoop.com/elfin-espionage-group-focused-saudi-u-s-organizations-symantec-says/

In the last three years, a suspected Iranian cyber-espionage group has targeted organizations in Saudi Arabia and the United States in attacks spanning several sectors, researchers from cybersecurity company Symantec said Wednesday.

The researchers described a hacking group that “has compromised a wide range of targets, including governments along with organizations in the research, chemical, engineering, manufacturing, consulting, finance, telecoms, and several other sectors.”
The tally of American targets includes “a number of Fortune 500 companies,” according to Symantec.

“Elfin’s goal appears to be sabotage,” Jon DiMaggio, senior threat intelligence analyst at Symantec, told CyberScoop. Their malware, a trojan called Stonedrill, “is designed to wipe the hard drives of the systems they infect, rendering them useless to the victim.”
The group “is one of the most active groups currently operating in the Middle East” and has shown a “willingness to continually revise its tactics and find whatever tools it takes to compromise its next set of victims,” the company said.
Click to expand...

guest · Jun 26, 2019

Iranian state hackers reload their domains, release off-the-shelf RAT malware
June 26, 2019
https://arstechnica.com/information...ir-domains-release-off-the-shelf-rat-malware/

A new report from the threat research firm Recorded Future finds that activity from APT33—the Iranian "threat group" previously tied to the Shamoon wiper attack and other Iranian cyber-espionage and destructive malware attacks—has risen dramatically, with the organization creating over 1,200 domains for use in controlling and spreading malware.

The research, conducted by Recorded Future's Insikt Group threat intelligence service, found with some confidence that individuals tied to APT33 (also known as "Elfin") had launched attacks on multiple Saudi companies, including two healthcare organizations—as well as an Indian media company and a "delegation from a diplomatic institution."

After Symantec revealed much of the infrastructure used by APT33 in March, the Iranian group parked a majority of its existing domains and registered over 1,200 new ones—with only a few remaining active.
Operations, according to the Insikt Group research, are divided into compartmentalized operations across about 50 different contracted organizations. As a result, there's some overlap between APT33's activities and other Iranian state-sponsored threat groups.
Click to expand...

Minimalist · Jul 3, 2019

Hackers exploit patched Microsoft Outlook flaw to infect machines

Cyber security experts suggest the attackers originate from the Iranian cyber gang ATP33
Click to expand...

https://www.itpro.co.uk/security/33...hed-microsoft-outlook-flaw-to-infect-machines

Minimalist · Jul 10, 2019

Why Cyber Command’s latest warning is a win for the government's information sharing efforts

When U.S. Cyber Command warned last week that a hacking group was using a Microsoft Outlook vulnerability previously leveraged by an Iran-linked malware campaign, it appeared to be signaling just how much the military knows about those operations. But the alert was significant in other ways: behind-the-scenes details uncovered by CyberScoop show that it is an example of how the U.S. government has built up its use of the information-sharing platform VirusTotal so the private sector gets more information sooner.
Click to expand...

https://www.cyberscoop.com/cyber-command-information-sharing-virustotal-iran-russia/

guest · Jan 23, 2020

Suspected Iranian hacking campaign targets European energy companies
January 23, 2020
https://www.zdnet.com/article/suspected-iranian-hacking-campaign-targets-european-energy-sector/

A hacking campaign with suspected ties to Iran has targeted the European energy sector in what's thought to be a reconnaissance mission aimed at gathering sensitive information.
The network intrusion at the energy company has been detailed by researchers at cybersecurity company Recorded Future.

The PupyRAT software used by the attackers is open-source malware and can infiltrate Windows, Linux, OSX and Android to give hackers access to the victim's system, including usernames, passwords and sensitive information across the network.
Despite the open-source nature of the malware, PupyRAT is prominently linked with Iranian state-backed hacking campaigns, particularly by the group known as APT 33 [...]
Click to expand...

Recorded Future: European Energy Sector Organization Targeted by PupyRAT Malware in Late 2019

Over the course of the last year, Recorded Future research has demonstrated that Iran-nexus groups, possibly including APT33 (also called Elfin), have been prolific in amassing operational network infrastructure throughout 2019.

PupyRAT is an open source RAT available on Github, and according to the developer, it is a “cross-platform, multi-function RAT and post-exploitation tool mainly written in Python.” It has been used previously by Iranian groups APT33 (Elfin, Magic Hound, HOLMIUM) and COBALT GYPSY (which overlaps with APT34/OilRig).
Although this commodity RAT, PupyRAT, is known to have been used by Iranian threat actor groups APT33 and COBALT GYPSY, we cannot confirm whether the PupyRAT controller we identified is used by either Iranian group.
Click to expand...

Log in or Sign up

Iranian APT33 Targets US Firms with Destructive Malware

itman Registered Member

guest Guest

guest Guest

Minimalist Registered Member

Minimalist Registered Member

guest Guest

Log in or Sign up

Iranian APT33 Targets US Firms with Destructive Malware

itman Registered Member

guest Guest

guest Guest

Minimalist Registered Member

Minimalist Registered Member

guest Guest

Useful Searches