APT33

APT33 is an Iranian threat group that has been actively running malicious industrial espionage campaigns since 2013. APT33 has been targeting private-sector petrochemical, energy, and aviation organizations to identify and exfiltrate confidential information. In addition, APT33 has been targeting organizations within Saudi Arabia, South Korea, the United States, and other countries in Europe, the Middle East, and Asia.

Other suspected group names have also known as APT33, including Elfin Team, Refined Kitten, Magnallium, and Holmium. At times, it appears to have been hard to disambiguate the various names associated with APT33. Depending on the threat researcher, other suspected group names may be viewed as entirely different threat groups.

APT33 became an entity of high interest to threat researchers when APT33 launched the Shamoon wiper malware attacks on both the Middle East and Europe. Shamoon is a highly malicious and destructive malware designed by APT33 to destroy all data on infected systems.

During these campaigns, compromised systems also displayed graphic propaganda. This propaganda included images of a drowned Syrian child, burning American flags, and more. In addition, APT33 was also observed targeting a European politician’s website and, in turn, using that website to send out phishing emails to targeted supply chain companies in the oil industry.

More recently, APT33 appears to have been using approximately a dozen active Command and Control (C&C) servers. Additionally, APT33 uses multiple techniques to camouflage and obfuscate these C&C servers in support of highly targeted malware campaigns. These botnets are comprised of perhaps 10 to 20 infected compute and provide persistence within targeted organizations’ networks.

APT33 also uses several types of custom backdoors, some of which are believed to have been developed internally. APT33 has been observed using two different attack vectors: watering hole attacks and targeted email spear phishing. The spear phishing attacks used malware-laden Microsoft Documents (macros had to be enabled by a cooperative user!). Additionally, APT33 has recently been observed using open-source tools with stolen authentication credentials to exploit mail clients further to disburse and deploy malware. Finally, APT33 uses publicly available exploits and instruments whenever possible.

Over time, APT33’s malware tools have grown quite large. Some malware is off-the-shelf and more of a commodity, but they have been observed building and deploying customizations on multiple occasions. These customized tool sets include a variety of backdoors, droppers, and a data wiper. You will recall that a dropper is a type of Trojan designed to install malware on a target system. Commodity malware used by APT33 includes PoshC2, Remcos, DarkComet, Quasar RAT, and Pupy RAT. These malware tools include password stealing, C2 command execution, data exfiltration, and more. APT33 also uses widely available tools such as Mimikatz, Procdump, and Ruler.

APT33 has developed several custom tools: TurnedUp is a backdoor that can download/upload files, report information on the targeted system, and create a reverse shell. ShapeShift (also known as Stonedrill) is a specialized backdoor that can download additional files and contains a data wiper that can effectively hit the MBR. DropShot is a dropper that can drop and launch tools such as TurnedUp and ShapeShift. Finally, Powerton is a PowerShell-based implant used recently by APT33 and uses encrypted C2, a complete ensemble of persistence mechanisms.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.