A new report from the threat research firm Recorded Future finds that activity from APT33—the Iranian “threat group” previously tied to the Shamoon wiper attack and other Iranian cyber-espionage and destructive malware attacks—has risen dramatically, with the organization creating over 1,200 domains for use in controlling and spreading malware. The research, conducted by Recorded Future’s Insikt Group threat intelligence service, found with some confidence that individuals tied to APT33 (also known as “Elfin”) had launched attacks on multiple Saudi companies, including two healthcare organizations—as well as an Indian media company and a “delegation from a diplomatic institution.”
The majority of these attacks have involved “commodity” malware—well-known remote access tools (RATs). According to the report:
APT33, or a closely aligned threat actor, continues to control C2 domains in bulk. Over 1,200 domains have been in use since March 28, 2019, alone. Seven hundred twenty-eight of these were identified communicating with infected hosts. Five hundred seventy-five of the 728 domains were observed communicating with hosts infected by one of 19 mostly publicly available RATs. Almost 60% of the suspected APT33 domains that were classified to malware families related to njRAT infections, a RAT not previously associated with APT33 activity. Other commodity RAT malware families, such as AdwindRAT and RevengeRAT, were also linked to suspected APT33 domain activity.
After Symantec revealed much of the infrastructure used by APT33 in March, the Iranian group parked a majority of its existing domains and registered over 1,200 new ones, with only a few remaining active. In addition to the collection of RATs, about a quarter of the domains are tied to unknown activity—and a half-percent are connected to StoneDrill, the upgraded Shamoon wiper first seen in 2017.