APT333, an Iranian group, is accused of establishing and distributing cyber espionage operations. APT333 aims to attack companies that operate in petrochemical, aerospace and energy industries in the US, Saudi Arabia and South Korea.
According to FireEye, the most recent attack by the Iranian group was operated by leveraging a dropper named DropShot, which is attached to the StoneDrill wiper malware. StoneDrill wiper is a variation of Shamoon 2.
The Virus is spread out via spear phishing campaigns that include job ads aviation companies operating in Saudi Arabia and Western enterprises. Those emails combine HR themed baits that also include Web links to malicious HTML (.hta) applications.
These files combined descriptions of the job positions and links to verified and legitimate job offerings on well-known recruitment websites that are relevant to targeted users. The researcher notes that “unbeknownst to the user, the .hta file also contained embedded code that automatically downloaded a custom APT33 backdoor (TurnedUp)”.
The ads used emails with false domains for companies such as Boeing, Vinnell Arabia, Northrop Grumman Aviation Arabia and Alsalam Aircraft Company. A number of users who were interested in these ads or accidentally clicked on the spoofed link downloaded DropShot malware.
In March, 2017, Kaspersky Lab published a report on StoneDrill. StoneDrill is a variation of the infamous Shamoon, the target of which included companies such as Saudi Aramco and Rasgas in 2012. Additionally, StoneDrill was applied against enterprises in Saudi Arabia and also was detected inside petrochemical companies in Europe.
StoneDrill is similar to Shamoon by several aspects, with various impressive features and techniques that enables the virus to better conceal itself from AntiVirus services.
Kaspersky investigators notice that StoneDrill is also a bit similar to the APT group, also called Charming Kitten or/and NewsBeef. The similarities of them disclose in utilization of the Browser Exploitation Framework (BEeF). However, neither Kaspersky or FireEye cannot confirm if the groups behind Shamoon and StoneDrill are the same or just simply share similar interests and targets.
APT33 has been executing a range of cyber espionage since 2013. APT33 works on a behalf of the Iranian government.
According to FireEye, in May 2017, APT33, by using a malicious file, aimed to lure users who worked for a petrochemical firm operating in Saudi Arabia.
The overall aim of these attacks is to increase Iran’s aviation industry, collect secret service data that is related to Saudi Arabia, and help Iranian petrochemical companies boost and gain an advantage over Saudi businesses.
FireEye also adds that the virus is attached to an Iranian individual who might have got paid by the Iranian government to establish a cyber threat against its opponents.
“We assess an actor using the handle ‘xman_1365_x’ may have been involved in the development and potential use of APT33’s TurnedUp backdoor”, reported FireEye.
Researchers note that Xman_1365_x emerged in the processing-debugging (also known as PDB) path of number TurnedUp backdoor models they possess. It is believed that Xman_1365_x was also an admin of a programming forum called Barnamenevis, and that it registered accounts on other famous Iranians forums such as Shabgard and Ashiyane.