Following a recent report detailing APT33’s infrastructure and tactics, the Iranian state-sponsored threat actor shook up its cyberespionage efforts by adopting new tools and reassigning key domain infrastructure.
The infrastructure overhaul stems from a March 2019 Symantec report exposing the group’s wide-ranging infrastructure and cyberespionage efforts, including a three-year campaign against multiple firms in Saudi Arabia and the United States. In a report released Wednesday, Recorded Future researchers said that, days after the March report went live, they observed APT33 had reassigned its key domain infrastructure and starting using a new remote access trojan (RAT) not previously associated with the group.
“Interestingly, while the Symantec research noted APT33’s use of Nanocore, njRAT was not mentioned, which indicates a previously unknown addition to the group’s ever-expanding repertoire of commodity malware,” said Recorded Future researchers on Wednesday. “The fact that this activity was executed just a day or so after the report went live suggests the Iranian threat actors are acutely aware of the media coverage of their activities and are resourceful enough to be able to react in a quick manner.”
APT33 has utilized these new tools in several recent campaigns targeting multiple unnamed organizations in Saudi Arabia since March, researchers said, including a Saudi conglomerate “with businesses in the engineering and construction, utilities, technology, retail, aviation, and finance sectors” and Saudi companies in the healthcare and metals industry. Also targeted were an Indian mass media company and a delegation from a diplomatic institution, researchers said.
Researchers for their part warned that these crucial changes point to future widespread cyberespionage efforts, and urged firms to monitor their networks for evidence of suspected APT33 activity. “We assess that the large amount of infrastructure uncovered in our research is likely indicative of wider ongoing operational activity, or the laying of groundwork for future cyberespionage operations,” they said.
Escalating Cyberespionage
APT33 has recently been in headlines due to increased cyber-related tensions between the U.S. and Iran this past month. After multiple U.S. cyber intelligence firms reported that they were targeted in spear phishing campaigns by Iranian hackers over the past week, Crowdstrike and FireEye attributed the campaign to APT33.
But the threat group has been around long before that. Researchers track APT 33’s cyberespionage activity back to 2013. The threat actor (also known as Magnallium or Refined Kitten) is known to target nations in the Middle East, but has also launched attacks against U.S., South Korean and European businesses.
In 2017, for instance, the Iranian group was linked to a cyberespionage campaign targeting aerospace, petrochemical and energy sector firms located in the United States, Saudi Arabia and South Korea with spear phishing emails. The group’s attack leveraged a dropper called DropShot that is tied to the StoneDrill wiper malware—a variant of the infamous wiper malware, Shamoon 2.
njRAT
Despite being around since 2013, APT33 doesn’t appear to be slowing down anytime soon, and Recorded Future’s analysis found the APT group continues to control C2 domains in bulk, with over 1,200 domains used since March 2019.
Researchers found the APT33 was using njRAT, a RAT that may run in the background and silently collect information about the system, connected users, and network activity.
“Since late March, suspected APT33 threat actors have continued to use a large swath of operational infrastructure, well in excess of 1,200 domains, with many observed communicating with 19 different commodity RAT implants,” researchers said. “An interesting development appears to be their increased preference for njRAT, with over half of the observed suspected APT33 infrastructure being linked to njRAT deployment.”
According to Malwarebytes, njRAT has a swath of capabilities, mostly centered around stealing stored credentials, usernames and passwords and other personal and confidential information. Attackers behind the malware can also install additional software to the infected machine, or direct infected machines to participate in a malicious botnet for the purposes of sending spam or other malicious activities.
Researchers spotted APT33 also using an array of other malware, included RevengeRAT, NanoCoreRAT, DarkComet and SpyNet. Other commodity RAT malware families, such as AdwindRAT and RevengeRAT, were also linked to suspected APT33 domain activity, researchers said.
“Commodity malware is an attractive option for nation-state threat actors who wish to conduct computer network operations at scale and hide in plain sight among the noise of other threat actor activities, thus hindering attribution efforts,” they said.
It’s not the first time APT33 has switched up its tactics: Researchers in 2018 identified what they called an Early Bird code injection technique used by the Iranian group to burrow the TurnedUp malware inside infected systems while evading anti-malware tools.