A cyber espionage group APT33 (aka Elfin and Refined Kitten) widely believed to be conducting attacks on behalf of the Iranian government switched to new tools and tactics after Symantec’s report exposed its malicious activity and much of its infrastructure earlier this year. Fast response suggests that the group closely monitors related media coverage and is resourceful enough to be able to swiftly take some action.
In fact, days after the March 2019 Symantec report went live APT33 had reassigned its key domain infrastructure and resorted to a new remote access trojan (RAT) called njRAT, which was not previously associated with the group, said the researchers from cyber security firm Recorded Future.
“Our research found that APT33, or a closely aligned threat actor, continues to conduct and prepare for widespread cyber espionage activity, with over 1,200 domains used since March 28, 2019 and with a strong emphasis on using commodity malware,” note the experts.
According to the report, 728 of 1,200 domains were identified communicating with infected hosts. 575 of the 728 domains were observed communicating with hosts infected by one of 19 mostly publicly available RATs. Almost 60% of the suspected APT33 domains that were classified to malware families related to njRAT infections. Other commodity RAT malware families, such as AdwindRAT and RevengeRAT, were also linked to suspected APT33 domain activity.
The group has used these tools in recent attacks targeting multiple unnamed organizations in Saudi Arabia since March, including an unnamed conglomerate headquartered in Saudi Arabia, “with businesses in the engineering and construction, utilities, technology, retail, aviation, and finance sectors”, and Saudi companies in the healthcare and metals industry. Also among targeted entities were an Indian mass media company and a delegation from a diplomatic institution.
“We assess that the large amount of infrastructure uncovered in our research is likely indicative of wider ongoing operational activity, or the laying of groundwork for future cyber espionage operations,” concluded the researchers.