HYAS Blog

Hunting APT33 Campaign Infrastructure

Written by HYAS Intel Team | September 20, 2019

Geopolitical risk is just one of many considerations that global enterprises and institutions must factor into their businesses, and when married with a firm’s information security, those risks can take on entirely new dimensions. Such has been the case with the current geopolitical environment when considering tensions between Iran and other global powers. Advanced Persistent Threats which may not have previously focused on particular geographies or industries are now being much more active in their efforts to compromise targets seen as important new opportunities.

One such example is the increased attacks observed by APT33, and other Iranian state-aligned groups, such as APT34, APT35, and MuddyWater. APT33 (aka “Elfin (Team)”, “Refined Kitten”, “Magnallium”, and “Holmium”) in particular has shown increased interest in targeting a broader set of industries, including financial services and advanced technology companies, in an effort which goes beyond an historic focus on middle eastern targets and an emphasis on energy and utility, aerospace, and defense industries.

Known for their use of both custom malware and more commodity malware and tools, APT33 campaign infrastructure used against targets in the US and other countries has been observed by HYAS as part of our ongoing work to provide additional telemetry and where possible, advanced warning to our clients.  Hyas’ data collection and attribution engine is able of identifying not just the campaign infrastructure used in a current attack, but can also identify with confidence the infrastructure that is being spun-up for near-term or future attacks.

One such example is highlighted by the recent US Cybercom notice regarding malicious use of CVE-2017-11774 by APT33. Malware used in the attacks was noted as being delivered from the domain customermgmnt[.]net in their public alert of July 2nd, 2019. In the interim, great work has been done by other research teams (including ClearSky, Symantec, and FireEye) to identify the domains backupaccount[.]net, customermgmt[.]net, whiteelection[.]net, and inboxsync[.]org as correctly being tied to APT33, which is consistent with Hyas’ assessment.

HYAS’ Threat Intelligence team had identified these domains as associated to APT33 back in May, prior to it being put into use for campaigns. Reviewing proprietary data and APT33 TTPs known to our team, we have been able to identify a number of other domains that which HYAS has both high confidence (95%) and moderate confidence (>75%) are connected to APT33.

HIGH CONFIDENCE (+95%):

admindirector[.]com

backupaccount[.]net

ceoadminoffice[.]com

customermgmt[.]net

diplomatsign[.]com

whiteelection[.]com

groupchiefexecutive[.]com

inboxsync[.]org

mailsarchive[.]com

managementdirector[.]com

officemngt[.]com

MODERATE CONFIDENCE (+75%):

urlmanage[.]com

truelogon[.]com

tokensetting[.]com

service-search[.]info

phpencryptssl[.]com

moreonlineshopping[.]com

cardkuys[.]com

cardchsk[.]com

businessscards[.]com

We encourage security professionals to take care with respect to the above domains, and to talk to Hyas about how we can help not just identify attribution for current bad actors and threats, but proactively identify the infrastructure that likely will be used for future attacks.

For more information about Hyas, email us at sales@hyas.com or go to hyas.com/demo.