APT33 cyber-espionage threat group targets organizations in Saudi Arabia and the United States

• APT33 threat group was first spotted in late 2015 and has since then targeted over 50 organizations across the research, chemical, engineering, manufacturing, consulting, financial, and telecoms sectors.
• In the recent attack campaign, the Elfin aka APT33 threat group targeted a chemical industry in Saudi Arabia by exploiting a known WinRAR ACE vulnerability (CVE-2018-20250).

What is the issue - The cyber-espionage threat group APT 33 also known as Elfin has launched a campaign targeting several organizations in Saudi Arabia and the United States.

The big picture

The cyber-espionage group primarily targets organizations in Saudi Arabia. However, it has also targeted a significant number of organizations in the United States with almost 18 companies including numerous Fortune 500 companies being targeted since 2016.

The organizations targeted in the US include the engineering, chemical, research, energy consultancy, finance, IT, and healthcare sectors.

Worth noting

• APT33 threat group was first spotted in late 2015 and has since then targeted over 50 organizations across the research, chemical, engineering, manufacturing, consulting, financial, and telecoms sectors.
• The malicious tools used by the threat group include LaZagne, Mimikatz, Gpppassword, and SniffPass.
• The commodity malware tools used by Elfin threat group includes Remcos, DarkComet, Quasar RAT, Pupy RAT, NanoCore, and NetWeird.
• The custom malware deployed by the threat group includes Notestuk, Stonedrill, and Autolt backdoor.

The recent attack campaign

In the recent attack campaign, the Elfin aka APT33 threat group targeted a chemical industry in Saudi Arabia by exploiting a known WinRAR ACE vulnerability (CVE-2018-20250).

• The threat group sent spear-phishing emails to two users of the chemical organization.
• The emails included a malicious file attachment named ‘JobDetails.rar’ which attempted to exploit the WinRAR vulnerability.

“However, prior to this attempted attack, Symantec had rolled out proactive protection against any attempt to exploit this vulnerability (Exp.CVE-2018-20250). This protection successfully protected the targeted organization from being compromised,” researchers said.