APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.  
Associated Group Descriptions
|Enterprise||T1110||Brute Force||APT33 has used password spraying to gain access to target systems.|
|Enterprise||T1043||Commonly Used Port||APT33 has used port 443 for command and control.|
|Enterprise||T1003||Credential Dumping||APT33 has used a variety of publicly available tools like LaZagne, Mimikatz, Gpppassword, SniffPass, and ProcDump to dump credentials.|
|Enterprise||T1002||Data Compressed||APT33 has used WinRAR to compress data prior to exfil. |
|Enterprise||T1132||Data Encoding||APT33 has used base64 to encode command and control traffic.|
|Enterprise||T1480||Execution Guardrails||APT33 has used kill dates in their malware to guardrail execution.|
|Enterprise||T1048||Exfiltration Over Alternative Protocol||APT33 has used FTP to exfiltrate files (separately from the C2 channel).|
|Enterprise||T1203||Exploitation for Client Execution||APT33 has attempted to exploit a known vulnerability in WinRAR (CVE-2018-20250).|
|Enterprise||T1068||Exploitation for Privilege Escalation||APT33 has used a publicly available exploit for CVE-2017-0213 to escalate privileges on a local system.|
|Enterprise||T1040||Network Sniffing||APT33 has used SniffPass to collect credentials by sniffing network traffic.|
|Enterprise||T1027||Obfuscated Files or Information||APT33 has used base64 to encode payloads.|
|Enterprise||T1086||PowerShell||APT33 has utilized PowerShell to download files from the C2 server and run various scripts.|
|Enterprise||T1060||Registry Run Keys / Startup Folder||APT33 has deployed a tool known as DarkComet to the Startup folder of a victim.|
|Enterprise||T1105||Remote File Copy||APT33 has downloaded additional files and programs from its C2 server. |
|Enterprise||T1053||Scheduled Task||APT33 has created a scheduled task to execute a .vbe file multiple times a day.|
|Enterprise||T1192||Spearphishing Link||APT33 has sent spearphishing emails containing links to .hta files.|
|Enterprise||T1071||Standard Application Layer Protocol||APT33 has used HTTP for command and control.|
|Enterprise||T1032||Standard Cryptographic Protocol||APT33 has used AES for encryption of command and control traffic.|
|Enterprise||T1065||Uncommonly Used Port||APT33 has used ports 808 and 880 for command and control.|
|Enterprise||T1204||User Execution||APT33 has lured users to click links to malicious HTML applications delivered via spearphishing emails.|
|Enterprise||T1078||Valid Accounts||APT33 has used valid accounts for initial access and privilege escalation.|
- O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
- Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
- Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
- Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.