APT33

APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. [1] [2]

ID: G0064
Version: 1.1

Associated Group Descriptions

NameDescription
Elfin[4]

Techniques Used

DomainIDNameUse
EnterpriseT1110Brute ForceAPT33 has used password spraying to gain access to target systems.[3]
EnterpriseT1043Commonly Used PortAPT33 has used port 443 for command and control.[3]
EnterpriseT1003Credential DumpingAPT33 has used a variety of publicly available tools like LaZagne, Mimikatz, Gpppassword, SniffPass, and ProcDump to dump credentials.[4][3]
EnterpriseT1002Data CompressedAPT33 has used WinRAR to compress data prior to exfil. [4]
EnterpriseT1132Data EncodingAPT33 has used base64 to encode command and control traffic.[3]
EnterpriseT1480Execution GuardrailsAPT33 has used kill dates in their malware to guardrail execution.[3]
EnterpriseT1048Exfiltration Over Alternative ProtocolAPT33 has used FTP to exfiltrate files (separately from the C2 channel).[4]
EnterpriseT1203Exploitation for Client ExecutionAPT33 has attempted to exploit a known vulnerability in WinRAR (CVE-2018-20250).[4]
EnterpriseT1068Exploitation for Privilege EscalationAPT33 has used a publicly available exploit for CVE-2017-0213 to escalate privileges on a local system.[3]
EnterpriseT1040Network SniffingAPT33 has used SniffPass to collect credentials by sniffing network traffic.[4]
EnterpriseT1027Obfuscated Files or InformationAPT33 has used base64 to encode payloads.[3]
EnterpriseT1086PowerShellAPT33 has utilized PowerShell to download files from the C2 server and run various scripts.[4]
EnterpriseT1060Registry Run Keys / Startup FolderAPT33 has deployed a tool known as DarkComet to the Startup folder of a victim.[4]
EnterpriseT1105Remote File CopyAPT33 has downloaded additional files and programs from its C2 server. [4]
EnterpriseT1053Scheduled TaskAPT33 has created a scheduled task to execute a .vbe file multiple times a day.[4]
EnterpriseT1192Spearphishing LinkAPT33 has sent spearphishing emails containing links to .hta files.[1][4]
EnterpriseT1071Standard Application Layer ProtocolAPT33 has used HTTP for command and control.[4]
EnterpriseT1032Standard Cryptographic ProtocolAPT33 has used AES for encryption of command and control traffic.[3]
EnterpriseT1065Uncommonly Used PortAPT33 has used ports 808 and 880 for command and control.[4]
EnterpriseT1204User ExecutionAPT33 has lured users to click links to malicious HTML applications delivered via spearphishing emails.[1][4]
EnterpriseT1078Valid AccountsAPT33 has used valid accounts for initial access and privilege escalation.[2][3]

Software

IDNameReferencesTechniques
S0129AutoIt backdoor[4]Bypass User Account Control, Data Encoding, File and Directory Discovery, PowerShell
S0363Empire[3][4]Access Token Manipulation, Accessibility Features, Account Discovery, Browser Bookmark Discovery, Bypass User Account Control, Clipboard Data, Command-Line Interface, Commonly Used Port, Create Account, Credential Dumping, Credentials in Files, Data Compressed, Distributed Component Object Model, DLL Search Order Hijacking, Domain Trust Discovery, Email Collection, Execution through API, Exfiltration Over Alternative Protocol, Exfiltration Over Command and Control Channel, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Modification, Hooking, Input Capture, Kerberoasting, LLMNR/NBT-NS Poisoning and Relay, Modify Existing Service, Network Service Scanning, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, Pass the Hash, Pass the Ticket, Path Interception, PowerShell, Private Keys, Process Discovery, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Remote Services, Scheduled Task, Screen Capture, Scripting, Security Software Discovery, Security Support Provider, Service Execution, Shortcut Modification, SID-History Injection, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Timestomp, Trusted Developer Utilities, Video Capture, Web Service, Windows Management Instrumentation
S0095FTP[4]Commonly Used Port, Exfiltration Over Alternative Protocol
S0349LaZagne[4]Credential Dumping, Credentials in Files
S0002Mimikatz[4]Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0336NanoCore[2]Audio Capture, Command-Line Interface, Disabling Security Tools, Input Capture, Modify Registry, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Remote File Copy, Scripting, Standard Cryptographic Protocol, System Network Configuration Discovery, Uncommonly Used Port, Video Capture
S0039Net[4]Account Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0198NETWIRE[1][2]Code Signing, Input Capture, Registry Run Keys / Startup Folder, Screen Capture, System Information Discovery
S0378PoshC2[3][4]Access Token Manipulation, Account Discovery, Automated Collection, Brute Force, Bypass User Account Control, Connection Proxy, Credential Dumping, Credentials in Files, Data Compressed, Domain Trust Discovery, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Input Capture, LLMNR/NBT-NS Poisoning and Relay, Network Service Scanning, Network Sniffing, Pass the Hash, Password Policy Discovery, Permission Groups Discovery, Process Injection, Service Execution, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, Windows Management Instrumentation, Windows Management Instrumentation Event Subscription
S0194PowerSploit[3]Access Token Manipulation, Account Discovery, Audio Capture, Credential Dumping, Credentials in Registry, Data from Local System, DLL Search Order Hijacking, Domain Trust Discovery, Indicator Removal from Tools, Input Capture, Kerberoasting, Modify Existing Service, Obfuscated Files or Information, Path Interception, PowerShell, Process Discovery, Process Injection, Query Registry, Registry Run Keys / Startup Folder, Scheduled Task, Screen Capture, Security Support Provider, Windows Management Instrumentation
S0371POWERTON[3]Commonly Used Port, Credential Dumping, PowerShell, Registry Run Keys / Startup Folder, Standard Application Layer Protocol, Standard Cryptographic Protocol, Windows Management Instrumentation Event Subscription
S0192Pupy[3]Access Token Manipulation, Account Discovery, Audio Capture, Bypass User Account Control, Create Account, Credential Dumping, Data Compressed, Email Collection, Exfiltration Over Command and Control Channel, File and Directory Discovery, Indicator Removal on Host, Input Capture, LLMNR/NBT-NS Poisoning and Relay, Multilayer Encryption, Network Service Scanning, Network Share Discovery, PowerShell, Process Discovery, Process Injection, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Remote File Copy, Screen Capture, Scripting, Service Execution, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, Systemd Service, Video Capture, Virtualization/Sandbox Evasion
S0358Ruler[3]Email Collection, Office Application Startup
S0140Shamoon[4]Bypass User Account Control, Commonly Used Port, Data Destruction, Data Encrypted for Impact, Disk Structure Wipe, Masquerading, Modify Registry, New Service, Obfuscated Files or Information, Query Registry, Remote File Copy, Remote System Discovery, Scheduled Task, Service Execution, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Time Discovery, Valid Accounts, Windows Admin Shares
S0199TURNEDUP[1][2][4]Command-Line Interface, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Screen Capture, System Information Discovery

References