27 June 2019

Iranian cyberspies revamp their infastructre, adopt new tactics and techniques

Iranian cyberspies revamp their infastructre, adopt new tactics and techniques

A cyber espionage group APT33 (aka Elfin and Refined Kitten) widely believed to be conducting attacks on behalf of the Iranian government switched to new tools and tactics after Symantec’s report exposed its malicious activity and much of its infrastructure earlier this year. Fast response suggests that the group closely monitors related media coverage and is resourceful enough to be able to swiftly take some action.

In fact, days after the March 2019 Symantec report went live APT33 had reassigned its key domain infrastructure and resorted to a new remote access trojan (RAT) called njRAT, which was not previously associated with the group, said the researchers from cyber security firm Recorded Future.

“Our research found that APT33, or a closely aligned threat actor, continues to conduct and prepare for widespread cyber espionage activity, with over 1,200 domains used since March 28, 2019 and with a strong emphasis on using commodity malware,” note the experts.

According to the report, 728 of 1,200 domains were identified communicating with infected hosts. 575 of the 728 domains were observed communicating with hosts infected by one of 19 mostly publicly available RATs. Almost 60% of the suspected APT33 domains that were classified to malware families related to njRAT infections. Other commodity RAT malware families, such as AdwindRAT and RevengeRAT, were also linked to suspected APT33 domain activity.

The group has used these tools in recent attacks targeting multiple unnamed organizations in Saudi Arabia since March, including an unnamed conglomerate headquartered in Saudi Arabia, “with businesses in the engineering and construction, utilities, technology, retail, aviation, and finance sectors”, and Saudi companies in the healthcare and metals industry. Also among targeted entities were an Indian mass media company and a delegation from a diplomatic institution.

“We assess that the large amount of infrastructure uncovered in our research is likely indicative of wider ongoing operational activity, or the laying of groundwork for future cyber espionage operations,” concluded the researchers.

Back to the list

Latest Posts

“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Since the beginning of the campaign in April 2019 the group has continuously been scanning the Internet for insecure Amazon S3 buckets.
12 July 2019
Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects.
11 July 2019
Featured vulnerabilities
Denial of service in MatrixSSL
Medium Patched | 15 Jul, 2019
Denial of service in Apple iMessage
Medium Patched | 15 Jul, 2019
Multiple vulnerabilities in Redis
Medium Patched | 11 Jul, 2019
Reverse Tabnabbing in Quill
Low Not Patched | 11 Jul, 2019
Remote code injection in domokeeper
High Not Patched | 11 Jul, 2019