The Iranian group known as APT33 is believed to be behind a cyberespionage campaign targeting aerospace, petrochemical and energy sector firms located in the United States, Saudi Arabia and South Korea.
The group’s latest attack leverages a dropper called DropShot that is tied to the StoneDrill wiper malware—a variant of the infamous Shamoon 2, according to a report released Wednesday by FireEye.
The malware is being distributed via spear phishing campaigns that includes advertisements for jobs at Saudi Arabian aviation companies and Western organizations, researchers said. Emails include recruitment themed lures that contain links to malicious HTML application (.hta) files, researchers said.
“The .hta files contained job descriptions and links to legitimate job postings on popular employment websites that would be relevant to the targeted individuals,” researchers said. “Unbeknownst to the user, the .hta file also contained embedded code that automatically downloaded a custom APT33 backdoor (TurnedUp).”
Links in emails used spoofed domains for firms Boeing, Alsalam Aircraft Company, Northrop Grumman Aviation Arabia and Vinnell Arabia. Many of the victims who clicked on the link inadvertently downloaded DropShot.
In March, Kaspersky Lab released a report on StoneDrill linking the malware to a variant of Shamoon, which targeted firms Saudi Aramco and Rasgas in 2012. StoneDrill also was used against organizations in Saudi Arabia, and was found inside a European petrochemical organizations.
“StoneDrill has several ‘style’ similarities to Shamoon, with multiple interesting factors and techniques to allow for the better evasion of detection,” Kaspersky wrote in its report From Shamoon to Stonedrill (PDF).
Kaspersky researchers concluded StoneDrill also bears similarities to an APT group known as NewsBeef, or Charming Kitten, for its use of the Browser Exploitation Framework known as BEeF. But, Kaspersky and FireEye both said it’s unknown whether the groups behind Shamoon and StoneDrill are the same, or are simply aligned in interests and regions in which they target.
Researchers said APT33 has been operational since 2013 carrying out various active cyber espionage operations on the behalf of the Iranian government.
“More recently, in May 2017, APT33 appeared to target a Saudi organization and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company,” FireEye researchers wrote.
The goal of the attacks is to boost Iran’s own aviation capabilities, gather Saudi-related military intelligence for Iran and to help Iranian petrochemical firms gain a competitive advantage over Saudi Arabian companies, according to researchers.
“We identified APT33 malware tied to an Iranian persona who may have been employed by the Iranian government to conduct cyber threat activity against its adversaries,” according to FireEye. “We assess an actor using the handle ‘xman_1365_x’ may have been involved in the development and potential use of APT33’s TurnedUp backdoor.”
Researchers came to that conclusion because the handle Xman_1365_x appeared in the processing-debugging (PDB) paths of many of TurnedUp backdoor samples they collected. Researchers also believe that Xman_1365_x was also a community manager in an Iranian programming and software engineering forum Barnamenevis and registered accounts in the well-known Iranian Shabgard and Ashiyane forums.