APT33 is a threat actor that operates out of Iran and targets business networks throughout the world with espionage-related operations. APT33 attacks leverage backdoor-capable Trojans and RATs for achieving invasive access to and control over a network frequently. Users with suspected APT33 infections should cut off all online connectivity and disinfect the system with an updated and reputable anti-malware utility without delay.
A Media-Based Pivot for Cyber-Spies
The Iran-based threat actor, APT33, is one of the numerous groups of hackers believed to benefit from government sponsorship for harvesting information from geopolitical foes. Unlike some similar entities, APT33 focuses on breaking into the networks of for-profit industries, such as aeronautical and energy sectors. Its history also includes an unexpected quirk: rapid response to media attention and accompanying shifts in how it conducts its campaigns.
As per usual for a threat actor of this caliber, malware researchers rate most APT33 attacks as arriving through the use of an initial phishing e-mail. These messages contain corrupted attachments, such as HTA files, with embedded vulnerabilities for infecting the PC, and trick users into opening them with company-relevant content. By this method, APT33 can install various threats, including a selection of RATs, or Remote Access Trojans (such as DarkComet, NanoCoreRAT and RevengeRAT).
Recent publications concerning APT33's activities, however, are leading to a notable pivot in how it operates. As of March of 219, over half of the C&C infrastructure for APT33's campaigns appear to be leveraging or otherwise related to Backdoor.Ratenjay (njRAT). The njRAT Trojan isn't the sole provenance of APT33, and its choice may be an attempt to keep researchers from connecting various attacks to the organization. Its features include both botnet ones for spamming, et al., and data-stealing, such as exfiltrating passwords.
Slowing Down Middle Eastern Meddling on Your Network
APT33's focus is, like most spies of the digital age, on gaining shell-based control over PCs for monitoring and collecting intelligence. However, malware researchers also note other dangers from some APT33 attacks. These further issues include their leveraging a StoneDrill 'wiper' Trojan: a threat that can erase most or all data on a compromised system securely. The latter's deployment could be a case of APT33 covering its tracks and destroying evidence, or even a botched attempt at ransoming files.
Proper curation of passwords can slow APT33's traversal throughout a network and prevent any brute-force-related attempts at compromising a machine. Workers also should be aware of the dangers of e-mail phishing attacks, which will resemble legitimate content that pertains to the industry and recipient. Attached files should receive complete anti-malware scans, when in doubt, and malware experts recommend against enabling macros in documents that support them.
Most of the tools that APT33 uses are well-known to the cyber-security industry. Updated anti-malware apparatus should remove Trojans from APT33's arsenal in a straightforward manner if given the opportunity.
APT33, AKA Elfin, is targeting companies throughout Asia, the Middle East, and the Americas with great interest. No industry is perfectly safe – at least, not without the right security protocols and employee training in place.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to APT33 may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.