Rewterz Threat Alert – More Than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting

Severity

High

Analysis Summary

The threat group regularly referred to as APT33 is known to target the oil and aviation industries aggressively. This threat group has been reported on consistently for years, but our recent findings show that the group has been using about a dozen live Command and Control (C&C) servers for extremely narrow targeting. The group puts up multiple layers of obfuscation to run these C&C servers in extremely targeted malware campaigns against organizations in the Middle East, the U.S., and Asia.

APT33 has also been executing more aggressive attacks over the past few years. For example, for at least two years the group used the private website of a high-ranking European politician (a member of her country’s defense committee) to send spear phishing emails to companies that are part of the supply chain of oil products. Targets included a water facility that is used by the U.S. army for the potable water supply of one of its military bases.

These attacks have likely resulted in concrete infections in the oil industry. For example, in the fall of 2018, we observed communications between a U.K.-based oil company with computer servers in the U.K. and India and an APT33 C&C server. Another European oil company suffered from an APT33 related malware infection on one of their servers in India for at least 3 weeks in November and December 2018. There were several other companies in oil supply chains that had been compromised in the fall of 2018 as well. These compromises indicate a big risk to companies in the oil industry, as APT33 is known to use destructive malware.

Impact

Exposure of sensitive information.

Indicators of Compromise

Filename

MsdUpdate.exe

From Email

• recruitment@alsalam.aero
• recruitment@alsalam.aero
• careers@ngaaksa.com
• jobs@ngaaksa.ga
• jobs@dyn-intl.ga
• jobs@dyn-intl.ga
• jobs@mail.dyn-corp.ga
• careers@sipchem.ga
• jobs@sipchem.ga
• jobs@sipchem.ga
• careers@aramcojobs.ga
• careers@aramcojobs.ga
• careers@aramcojobs.ga
• jobs@samref.ga

SH256

• e954ff741baebb173ba45fbcfdea7499d00d8cfa2933b69f6cc0970b294f9ffd
• b58a2ef01af65d32ca4ba555bd72931dc68728e6d96d8808afca029b4c75d31e
• a67461a0c14fc1528ad83b9bd874f53b7616cfed99656442fb4d9cdd7d09e449
• c303454efb21c0bf0df6fb6c2a14e401efeb57c1c574f63cdae74ef74a3b01f2

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.