The APT Series Part 2 ‘APT33’

Telesoft Telesoft

The Elfin team are more commonly known as APT33 (they also go by other names like Refined Kitten, Magnallium and Holmium) and have been identified to be supported and sponsored by the Iran Government. APT33 have been operating since 2013.

Who do APT 33 target?

APT33 have shown interest in a wide range of organisations that have headquarters in Saudi Arabia and South Korea, with a particular taste for targets in the aviation sector (both military and commercial), as well as organisations in the energy sector with ties to oil and gas production. The underlying motive for the selection of target seems to mirror Iranian Government areas of interest and desired expansion.

Notable attack history?

Mid 2016 to early 2017:

APT33 breached a U.S. organisation in the aerospace industry and targeted a conglomerate located in Saudi Arabia with ties to the same sector.

At around the same time a suspected APT33 attack was directed at a Saudi organisation and a South Korean business conglomerate using a file that brought victims in with job vacancies for a Saudi Arabian oil and gas company.

What are their methods and TTPs?

Spear phishing:

A recently utilised methodology of the group is spear phishing, illustrated when thousands of targeted emails were sent to employees within the target company containing links to nefarious HTML application (.hta) files. The .hta files displayed legitimate job postings on popular websites tailored to the individual target. Unbeknown to the victim, the file would also contain embedded PowerShell code that would download a custom backdoor.

Domain masquerading:

APT33 have registered multiple ‘similar looking’ domains that are close to Saudi Arabian companies and western partnerships. It is likely that these were used in the above spear phishing attacks.

Other capabilities and tactics:

APT33 have been identified as using

  • DROPSHOT – a dropper that can be used to drop and launch other malicious programs, in this case the TURNEDUP backdoor and the SHAPESHIFT wiper malware.
  • Nanocore RAT – a remote access trojan that’s available publicly.
  • NetWire – a backdoor that is used to steal credentials from the local machine, this too is publicly available.
  • TURNEDUP – a backdoor capable of creating reverse shells, taking screenshots, gathering system information and uploading and downloading files.

In summary?

Seeing an attacker enables you to defend against them, a way to effect this is to lay over the physical network and its traffic the information and intelligence obtained from previous attackers or attacks. This tactic is strengthened by combining Open Source Intelligence (OSINT), derived intelligence and calculating behavioural patterns, methodologies and ultimately the optimal machine and human responses to optimally mitigate current and future attack campaigns.

Deriving intelligence can be done with multiple tools and in multiple ways. One such way is to utilise high visibility of traffic flows by using a network traffic probe, combined with an integrated IDS system that can identify malicious packets and flows, whilst storing the raw activity of targets of interest for deep forensics. The output from these tools can then be passed to a platform that allows packet and flow level forensic investigation which then can be filtered and further analysed to build up a pattern of attacks and even describe campaigns and attacker capability.

Related products