APT33: The Lesser Known Adversary With Ties To Advanced Espionage Threats

See All

Threat Actor Profile


Origin: Iran, 2013

Key Target Sectors: Manufacturing, Energy and Power, Aerospace, Defense, Petrochemical

Attack Vectors: Spear Phishing, Backdoor, Domain Masquerading

Target Region: Western Asia, North America, Eastern Asia, Middle East

Malware Used: Dropshot, Nanocore, Netwire, Turnedup, Dorkbot, Empire, Poshc2, Mimikatz Tool, Aut2exe, Stonedril, PupyRAT, PowerSploit, Carberp, Shamoon 3, Powerton

Motive: Cyber Espionage, Data Theft


Overview

APT33 is a lesser known, but powerful cyber-espionage group, known to be working at the behest of the Iranian government. The group, carrying out cyber attacks since 2013, has targeted multiple businesses across several countries, but it gained attention when it was linked with a new wave of Shamoon attacks in Dec 2018.

Which organizations have they targeted?

Also known as Holmium and Magnallium, the APT33 group has targeted organizations across multiple businesses located in the United States, South Korea, and Saudi Arabia. The group has shown good interest in a wide range of targets, including government, manufacturing, research, engineering, chemical, finance, telecommunications. Towards the end of-2016 till mid-2017, the group focused on the aviation industry (both military and commercial), along with organizations in the energy sector. Their notable targets included a US-based aerospace organization, a Saudi Arabia-based business conglomerate with aviation holdings, and a South Korean company involved in petrochemicals and oil refining. In Dec 2018, APT33 was found connected to the wave of Shamoon 3 attacks, that were largely aimed at Middle Eastern assets of Italian oil and gas services company ‘Saipem’, along with few other organizations in the United Arab Emirates and Saudi Arabia. There were several similarities (like the use of similar anti-emulation techniques) in Shamoon 3 and DROPSHOT (dropper malware used by APT33), suggesting the involvement of APT33 in the Shamoon 3 wave. But at the same time, there were several differences in TTPs (like the use of different languages, and use of custom and publicly available tools by APT33, which were missing in Shamoon specific targets), suggesting a possibility of involvement of any other Iranian group with a shared infrastructure or evolution in the TTPs deployed by the group.

What is their motivation behind the attacks?

The APT group’s interest in aviation sector may indicate the group’s desire to gain intel on the regional military aviation abilities to enhance Iran’s aviation abilities or to support Iran’s strategic and military-related decision making. The South Korean organizations were targeted probably due to South Korea’s relationships with Saudi petrochemical organizations. Targeting of various holding companies and organizations in the energy sectors aligns with Iranian national interests for growth, particularly as it relates to increasing petrochemical production.

Modus Operandi

The prime attack vector used by APT33 is spear-phishing emails, in which they often leverage common and localized event or activities to lure their targets. In Sept 2017, APT33 leveraged spear-phishing emails to target employees working in the aviation industry, which included lures with recruitment related themes and contained links to malicious HTML application (.hta) files. APT33 is also known for using known exploits to penetrate organization networks. For the recent attacks in Dec 2018, they leveraged a publicly available exploit (CVE-2017-0213) to perform privilege escalation attack. The group also leveraged CVE-2017-11774 to download and execute OS-based version of the publicly available .NET Poshc2 backdoor with a newly identified PowerShell-based implant self-named Powerton. In Feb 2019 attacks, they were observed using the known vulnerability (CVE-2018-20250) in WinRAR.

Known tools and malware

APT33 often uses custom-built malware (mostly backdoors), suggesting access to skilled development resources. Their custom tools include a dropper program called DropShot, which can deploy a wiper called ShapeShift, or install a backdoor called TurnedUp. They also use publicly available tools (like Mimikatz, Alfashell and Windows SysInternals PROCDUMP to carry out espionage operations. They have registered multiple domains, portraying many commercial entities, including Alsalam Aircraft Company, Boeing, Vinnell and Northrop Grumman.

Some of the custom tools used by APT33 include:
  • Dropshot - The Dropshot dropper is usually observed to be dropping and launching the Turnedup backdoor, as well as the Shapeshift wiper malware.
  • Nanocore - Nanocore is a publicly available Remote Access Trojan (RAT) available for purchase online. It can operate as a featured backdoor, with support for additional plugins.
  • Netwire- Netwire is a backdoor that tries to steal credentials from the local machine. It also supports general backdoor features.
  • Turnedup - Turnedup is a backdoor with a feature of uploading and downloading files, taking screenshots, creating a reverse shell, and gathering system information.


Attribution

Several of APT33’s espionage operations align with the nation-state interests of the Iranian government. Use of Iranian hacker tools and name servers clubbed together with the operation timing (that matches with Iranian working hours), provides strong hints for the group having a connection with the Iranian government. One hacker, using the moniker ‘xman_1365_x’, was found connected to both the TurnedUp tool code and the Iranian Nasr Institute, which has been further linked to the Iranian Cyber Army. The ‘xman_1365_x’ has accounts on Iranian hacker forums, including Ashiyane and Shabgard.

Prevention

To proactively prepare against threats like APT33, organizations must adopt advanced threat intelligence platforms and behavior-based anti-malware detection solutions for capturing and neutralizing evolving IOCs and TTPs in real-time. Organizations must promote sharing of Strategic and Tactical Threat Intelligence with their trusted partners, ISACs and regulatory bodies to inculcate learnings and develop shared strategies for combating such threats. Deploying a threat intel-driven approach enables the exchange of the Indicators of Compromise (IOCs) like domain names, IP addresses, file hashes, YARA, and Snort signatures to ensure that the organization is protected against such threats. Furthermore, adding all the malicious IPs and Domains to the watchlist to find out if any malicious activity is happening within an organization creates an added layer of defensive mechanism that can help trounce the malicious actor hiding in the vicinity of organization’s networks. A regular review of the data flowing through the network perimeter can help detect malicious activities of Shamoon like malware deployed by threat actors like APT33.

Indicators of Compromise


MD5 hashes
99649d58c0d502b2dfada02124b1504c
4aca006b9afe85b1f11314b39ee270f7
F5ac89d406e698e169ba34fea59a780e
5a66480e100d4f14e12fceb60e91371d
2cd286711151efb61a15e2e11736d7d2
3871aac486ba79215f2155f32d581dc2
53ae59ed03fa5df3bf738bc0775a91d9
C38069d0bc79acdc28af3820c1123e53
4047e238bbcec147f8b97d849ef40ce5
Bd80fcf5e70a0677ba94b3f7c011440e
e2d60bb6e3e67591e13b6a8178d89736
974b999186ff434bee3ab6d61411731f
99649d58c0d502b2dfada02124b1504c
48d1ed9870ed40c224e50a11bf3523f8
8d3fe1973183e1d3b0dbec31be8ee9dd
fca0ad319bf8e63431eb468603d50eff
46038aa5b21b940099b0db413fa62687
75e680d5fddbdb989812c7ba83e7c425
fa7790abe9ee40556fb3c5524388de0b
46038aa5b21b940099b0db413fa62687
56f5891f065494fdbb2693cfc9bce9ae
56f5891f065494fdbb2693cfc9bce9ae
17587668ac577fce0b278420b8eb72ac
95f3bea43338addc1ad951cd2d42eb6f
8a99624d224ab3378598b9895660c890
4b19bccc25750f49c2c1bb462509f84e

SHA2
5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f (Notestuk/TURNEDUP)
A67461a0c14fc1528ad83b9bd874f53b7616cfed99656442fb4d9cdd7d09e449 (AutoIt backdoor)
F2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5 (Gpppassword)
87e2cf4aa266212aa8cf1b1c98ae905c7bac40a6fc21b8e821ffe88cf9234586 (LaZagne)
709df1bbd0a5b15e8f205b2854204e8caf63f78203e3b595e0e66c918ec23951 (LaZagne)
A23c182349f17398076360b2cb72e81e5e23589351d3a6af59a27e1d552e1ec0 (Quasar RAT)
0b3610524ff6f67c59281dbf4a24a6e8753b965c15742c8a98c11ad9171e783d (Quasar RAT)
D5262f1bc42d7d5d0ebedadd8ab90a88d562c7a90ff9b0aed1b3992ec073e2b0 (Quasar RAT)
Ae1d75a5f87421953372e79c081e4b0a929f65841ed5ea0d380b6289e4a6b565 (Remcos)
e999fdd6a0f5f8d1ca08cf2aef47f5ddc0ee75879c6f2c1ee23bc31fb0f26c70 (Remcos)
018360b869d8080cf5bcca1a09eb8251558378eb6479d8d89b8c80a8e2fa328c (Remcos)
367e78852134ef488ecf6862e71f70a3b10653e642bda3df00dd012c4e130330 (Remcos)
Ea5295868a6aef6aac9e117ef128e9de107817cc69e75f0b20648940724880f3 (Remcos)
6401abe9b6e90411dc48ffc863c40c9d9b073590a8014fe1b0e6c2ecab2f7e18 (SniffPass)
Bf9c589de55f7496ff14187b1b5e068bd104396c23418a18954db61450d21bab (DarkComet)
Af41e9e058e0a5656f457ad4425a299481916b6cf5e443091c7a6b15ea5b3db3 (DarkComet)
C7a2559f0e134cafbfc27781acc51217127a7739c67c40135be44f23b3f9d77b (AutoIt FTP tool)
99c1228d15e9a7693d67c4cb173eaec61bdb3e3efdd41ee38b941e733c7104f8 (.NET FTP tool)
94526e2d1aca581121bd79a699a3bf5e4d91a4f285c8ef5ab2ab6e9e44783997 (PowerShell downloader)
Dedfbc8acf1c7b49fb30af35eda5e23d3f7a202585a5efe82ea7c2a785a95f40 (POSHC2 backdoor)

Domains
85[.]206[.]161[.]214
hxxps://103[.]236[.]149[.]100/api/info
hxxps://185[.]161[.]209[.]172/api/default
hxxps://51[.]254[.]71[.]223/images/static/content
hxxp://91[.]235[.]116[.]212/index.html
85[.]206[.]161[.]214@443\outlook\live.exe
hxxps://85[.]206[.]161[.]216:8080/HomePage.htm


See Our Products In Action




  • Share this blog:
Previous
Why Threat Intelligence Matters for CISOs?
Next
How Open Source Technologies Aid Enterprise Security?
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.