APT33, also known as Elfin, is a cyber espionage group that has been operating since at least 2013. Believed to operate out of the Islamic Republic of Iran, APT33 has been linked to attacks on targets in the Middle East, Europe, and the United States. The group’s focus is on gathering intelligence on organizations in the aerospace, energy, and petrochemical sectors, as well as on government agencies and academic institutions. APT33’s tactics are highly sophisticated and involve the use of custom-built malware and advanced social engineering.
Tactics, Techniques, and Procedures (TTPs)
APT33 has been observed using a variety of TTPs, including:
- Spear Phishing for Credential Theft (T1566.001): APT33 typically gains access to targets through spear-phishing emails. They often use lures relevant to the aerospace, energy, and petrochemical sectors, and the emails contain malicious attachments or links to malicious websites. MITRE ATT&CK Reference
- Exploitation for Client Execution (T1203): The group has been known to exploit software vulnerabilities to execute their code on a victim’s system. They have been observed exploiting a WinRAR vulnerability (CVE-2018-20250) to execute arbitrary code. MITRE ATT&CK Reference
- Use of Web Shells (T1505): APT33 has been observed using web shells to maintain access to a victim’s network. MITRE ATT&CK Reference
- Data Encrypted for Impact (T1486): APT33 has been known to encrypt data on a victim’s system, likely as a form of impact. MITRE ATT&CK Reference
Known Vulnerabilities Exploited
APT33 has been known to exploit the following vulnerabilities:
- CVE-2018-20250: This is a vulnerability in WinRAR that allows an attacker to create files in arbitrary paths after a user opens a compressed (ACE) file. Vendor Information | NVD Information
Indicators of Compromise (IOCs)
The following IOCs have been associated with APT33:
- Filename: PROPSYS[.]dll
- Filename: D99036C9-71BC-4D23-A1BF-43EF44C1F28A[.]cab
- Filename: WinSCard[.]dll
- MD5: 63623bcf68ef6a52846869bbc1206beffb9af8b0764458bf266c25a0d691272c1ffdacea353f9350036f928a8e03d0fb70f6e312bce2be0c9554f45bada84f92
- SHA-256: 2e8c395df7a08be30ef0569c1d809b8dc8e62bd6f0700019d1289f6b2ef5e6b8f297959b0a6f02e441387bd00e47a3cc0f4f80d0e44bbade463abc5ff804bdddf0ab3520db1f16e5d46c0a0a5462c30779cf9949b4c95c4252987b52c4540fc7440cc0e14dd3ba3924a69bbb4c3a1724e5685f57b852abe00634cd7c93594b3c
- SHA-1: 21e912c8d4d7fd60176590b9f727f63bd2eb224c0960abd13bbb204406d8ce48a68baa99621f401fb8b2ee0eaecaf37a40ff09a57d07e9e7dc467f6d3c9c17a68143e9890b120bdb6f4bfa8684195f9
Summary
APT33 is a sophisticated threat actor that poses a significant threat to organizations and individuals, particularly those in the aerospace, energy, and petrochemical sectors. The group’s use of a wide range of TTPs, including spear-phishing, exploitation of software vulnerabilities, and use of web shells, makes it a formidable adversary. Organizations should take steps to protect themselves from APT33, including educating employees about the dangers of spear-phishing, keeping software up-to-date to protect against known vulnerabilities, and monitoring their networks for signs of compromise.
Further Reading
For more information on APT33, you can refer to the following resources:
- Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware | Mandiant
- APT33 Hunt Report – Booz Allen
- Inside The Shadowy World Of Iranian Cyber Espionage Group APT33 – Forbes
- Obfuscated APT33 C&Cs Used for Narrow Targeting – Trend Micro
- APT33 Threat Actors – BRANDEFENSE