1. Home
  2. Groups
  3. APT33

APT33

APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.[1][2]

ID: G0064
Associated Groups: HOLMIUM, Elfin, Peach Sandstorm
Contributors: Dragos Threat Intelligence
Version: 2.0
Created: 18 April 2018
Last Modified: 11 April 2024

Associated Group Descriptions

Name Description
HOLMIUM

[3]
Elfin

[4]
Peach Sandstorm

[5]
Enterprise Layer
download view
ICS Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1546 .003 事件触发执行: Windows Management Instrumentation Event Subscription

APT33 has attempted to use WMI event subscriptions to establish persistence on compromised hosts.[3]
Enterprise T1555 从密码存储中获取凭证

APT33 has used a variety of publicly available tools like LaZagne to gather credentials.[4][6]
.003 Credentials from Web Browsers

APT33 has used a variety of publicly available tools like LaZagne to gather credentials.[4][6]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

APT33 has used AES for encryption of command and control traffic.[6]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

APT33 has deployed a tool known as DarkComet to the Startup folder of a victim, and used Registry run keys to gain persistence.[4][3]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

APT33 has utilized PowerShell to download files from the C2 server and run various scripts. [4][3]
.005 命令与脚本解释器: Visual Basic

APT33 has used VBScript to initiate the delivery of payloads.[3]
Enterprise T1203 客户端执行漏洞利用

APT33 has attempted to exploit a known vulnerability in WinRAR (CVE-2018-20250), and attempted to gain remote code execution via a security bypass vulnerability (CVE-2017-11774).[4][3]
Enterprise T1071 .001 应用层协议: Web Protocols

APT33 has used HTTP for command and control.[4]
Enterprise T1560 .001 归档收集数据: Archive via Utility

APT33 has used WinRAR to compress data prior to exfil.[4]

Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

APT33 has used a variety of publicly available tools like LaZagne, Mimikatz, and ProcDump to dump credentials.[4][6]
.004 操作系统凭证转储: LSA Secrets

APT33 has used a variety of publicly available tools like LaZagne to gather credentials.[4][6]
.005 操作系统凭证转储: Cached Domain Credentials

APT33 has used a variety of publicly available tools like LaZagne to gather credentials.[4][6]
Enterprise T1132 .001 数据编码: Standard Encoding

APT33 has used base64 to encode command and control traffic.[6]
Enterprise T1110 .003 暴力破解: Password Spraying

APT33 has used password spraying to gain access to target systems.[6][3]
Enterprise T1048 .003 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol

APT33 has used FTP to exfiltrate files (separately from the C2 channel).[4]
Enterprise T1078 有效账户

APT33 has used valid accounts for initial access and privilege escalation.[2][6]
.004 Cloud Accounts

APT33 has used compromised Office 365 accounts in tandem with Ruler in an attempt to gain control of endpoints.[3]
Enterprise T1552 .001 未加密凭证: Credentials In Files

APT33 has used a variety of publicly available tools like LaZagne to gather credentials.[4][6]
.006 未加密凭证: Group Policy Preferences

APT33 has used a variety of publicly available tools like Gpppassword to gather credentials.[4][6]
Enterprise T1068 权限提升漏洞利用

APT33 has used a publicly available exploit for CVE-2017-0213 to escalate privileges on a local system.[6]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

APT33 has used base64 to encode payloads.[6]
Enterprise T1204 .001 用户执行: Malicious Link

APT33 has lured users to click links to malicious HTML applications delivered via spearphishing emails.[1][4]
.002 用户执行: Malicious File

APT33 has used malicious e-mail attachments to lure victims into executing malware.[3]
Enterprise T1040 网络嗅探

APT33 has used SniffPass to collect credentials by sniffing network traffic.[4]
Enterprise T1588 .002 获取能力: Tool

APT33 has obtained and leveraged publicly-available tools for early intrusion activities.[6][4]
Enterprise T1105 输入工具传输

APT33 has downloaded additional files and programs from its C2 server.[4][3]

Enterprise T1566 .001 钓鱼: Spearphishing Attachment

APT33 has sent spearphishing e-mails with archive attachments.[3]
.002 钓鱼: Spearphishing Link

APT33 has sent spearphishing emails containing links to .hta files.[1][4]
Enterprise T1571 非标准端口

APT33 has used HTTP over TCP ports 808 and 880 for command and control.[4]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

APT33 has created a scheduled task to execute a .vbe file multiple times a day.[4]
ICS T0852 Screen Capture

APT33 utilize backdoors capable of capturing screenshots once installed on a system. [7][8]
ICS T0853 Scripting

APT33 utilized PowerShell scripts to establish command and control and install files for execution. [9] [10]
ICS T0865 Spearphishing Attachment

APT33 sent spear phishing emails containing links to HTML application files, which were embedded with malicious code. [7] APT33 has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies. [11]

Software

ID Name References Techniques
S0129 AutoIt backdoor [4] 命令与脚本解释器: PowerShell, 数据编码: Standard Encoding, 文件和目录发现, 滥用权限提升控制机制: Bypass User Account Control
S1134 DEADWOOD DEADWOOD was previously linked to APT33 operations in 2019.[12] 伪装: Masquerade Task or Service, 反混淆/解码文件或信息, 数据销毁, 混淆文件或信息: Embedded Payloads, 混淆文件或信息: Encrypted/Encoded File, 磁盘擦除: Disk Content Wipe, 磁盘擦除: Disk Structure Wipe, 系统时间发现, 系统服务: Service Execution, 账号访问移除
S0363 Empire [6][4] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 事件触发执行: Accessibility Features, 从密码存储中获取凭证: Credentials from Web Browsers, 使用备用认证材料: Pass the Hash, 创建或修改系统进程: Windows Service, 创建账户: Local Account, 创建账户: Domain Account, 剪贴板数据, 加密通道: Asymmetric Cryptography, 劫持执行流: Path Interception by Unquoted Path, 劫持执行流: Path Interception by Search Order Hijacking, 劫持执行流: Path Interception by PATH Environment Variable, 劫持执行流: Dylib Hijacking, 劫持执行流: DLL Search Order Hijacking, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Security Support Provider, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Shortcut Modification, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器, 域信任发现, 域或租户策略修改: Group Policy Modification, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据, 操作系统凭证转储: LSASS Memory, 文件和目录发现, 未加密凭证: Credentials In Files, 未加密凭证: Private Keys, 本机API, 权限提升漏洞利用, 浏览器信息发现, 混淆文件或信息: Command Obfuscation, 滥用权限提升控制机制: Bypass User Account Control, 电子邮件收集: Local Email Collection, 移除指标: Timestomp, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统网络连接发现, 系统网络配置发现, 组策略发现, 网络共享发现, 网络嗅探, 网络服务: Bidirectional Communication, 网络服务发现, 自动化收集, 自动化渗出, 视频捕获, 访问令牌操控: SID-History Injection, 访问令牌操控, 访问令牌操控: Create Process with Token, 账号发现: Domain Account, 账号发现: Local Account, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 输入捕获: Credential API Hooking, 进程发现, 进程注入, 远程服务: Distributed Component Object Model, 远程服务: SSH, 远程服务漏洞利用, 通过C2信道渗出, 通过网络服务渗出: Exfiltration to Code Repository, 通过网络服务渗出: Exfiltration to Cloud Storage, 预定任务/作业: Scheduled Task
S0095 ftp [4] 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol, 横向工具传输, 输入工具传输
S0349 LaZagne [4] 从密码存储中获取凭证: Windows Credential Manager, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 从密码存储中获取凭证: Keychain, 操作系统凭证转储: LSA Secrets, 操作系统凭证转储: /etc/passwd and /etc/shadow, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Cached Domain Credentials, 操作系统凭证转储: Proc Filesystem, 未加密凭证: Credentials In Files
S0002 Mimikatz [4] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0336 NanoCore [2] 修改注册表, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: Visual Basic, 妨碍防御: Disable or Modify System Firewall, 妨碍防御: Disable or Modify Tools, 混淆文件或信息, 系统网络配置发现, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 音频捕获
S0039 Net [4] 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0198 NETWIRE [1][2] 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 代理, 伪装: Match Legitimate Name or Location, 伪装: Invalid Code Signature, 修改注册表, 创建或修改系统进程: Launch Agent, 加密通道: Symmetric Cryptography, 加密通道, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: XDG Autostart Entries, 启动或登录自动启动执行: Login Items, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Unix Shell, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 应用窗口发现, 归档收集数据: Archive via Custom Method, 归档收集数据, 数据分段: Local Data Staging, 文件和目录发现, 本机API, 混淆文件或信息: Software Packing, 混淆文件或信息, 混淆文件或信息: Fileless Storage, 用户执行: Malicious File, 用户执行: Malicious Link, 系统信息发现, 系统网络连接发现, 系统网络配置发现, 网络服务, 自动化收集, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入, 进程注入: Process Hollowing, 钓鱼: Spearphishing Link, 钓鱼: Spearphishing Attachment, 隐藏伪装: Hidden Files and Directories, 非应用层协议, 预定任务/作业: Cron, 预定任务/作业: Scheduled Task
S0378 PoshC2 [6][4] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 事件触发执行: Windows Management Instrumentation Event Subscription, 从密码存储中获取凭证, 代理, 使用备用认证材料: Pass the Hash, 域信任发现, 密码策略发现, 应用层协议: Web Protocols, 归档收集数据: Archive via Utility, 操作系统凭证转储: LSASS Memory, 文件和目录发现, 暴力破解, 未加密凭证: Credentials In Files, 权限提升漏洞利用, 权限组发现: Local Groups, 滥用权限提升控制机制: Bypass User Account Control, 系统信息发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络嗅探, 网络服务发现, 自动化收集, 访问令牌操控: Create Process with Token, 访问令牌操控, 账号发现: Local Account, 账号发现: Domain Account, 输入捕获: Keylogging, 进程注入, 远程服务漏洞利用
S0194 PowerSploit [6] Windows管理规范, 从密码存储中获取凭证: Windows Credential Manager, 从本地系统获取数据, 创建或修改系统进程: Windows Service, 劫持执行流: Path Interception by PATH Environment Variable, 劫持执行流: Path Interception by Unquoted Path, 劫持执行流: DLL Search Order Hijacking, 劫持执行流: Path Interception by Search Order Hijacking, 反射性代码加载, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Security Support Provider, 命令与脚本解释器: PowerShell, 域信任发现, 屏幕捕获, 操作系统凭证转储: LSASS Memory, 未加密凭证: Credentials in Registry, 未加密凭证: Group Policy Preferences, 查询注册表, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息: Command Obfuscation, 窃取或伪造Kerberos票据: Kerberoasting, 访问令牌操控, 账号发现: Local Account, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 音频捕获, 预定任务/作业: Scheduled Task
S0371 POWERTON [6][3] 事件触发执行: Windows Management Instrumentation Event Subscription, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: PowerShell, 应用层协议: Web Protocols, 操作系统凭证转储: Security Account Manager
S0192 Pupy [6] 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 使用备用认证材料: Pass the Ticket, 创建或修改系统进程: Systemd Service, 创建账户: Domain Account, 创建账户: Local Account, 加密通道: Asymmetric Cryptography, 启动或登录自动启动执行: XDG Autostart Entries, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据: Archive via Utility, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Cached Domain Credentials, 操作系统凭证转储: LSA Secrets, 文件和目录发现, 未加密凭证: Credentials In Files, 滥用权限提升控制机制: Bypass User Account Control, 电子邮件收集: Local Email Collection, 移除指标: Clear Windows Event Logs, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 虚拟化/沙盒规避: System Checks, 视频捕获, 访问令牌操控: Token Impersonation/Theft, 账号发现: Local Account, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 远程服务: Remote Desktop Protocol, 通过C2信道渗出, 音频捕获
S0358 Ruler [6][3] 办公应用启动: Outlook Rules, 办公应用启动: Outlook Forms, 办公应用启动: Outlook Home Page, 账号发现: Email Account
S0380 StoneDrill [1] Windows管理规范, 命令与脚本解释器: Visual Basic, 屏幕捕获, 数据销毁, 查询注册表, 混淆文件或信息: Encrypted/Encoded File, 磁盘擦除: Disk Structure Wipe, 磁盘擦除: Disk Content Wipe, 移除指标: File Deletion, 系统信息发现, 系统时间发现, 虚拟化/沙盒规避, 软件发现: Security Software Discovery, 输入工具传输, 进程注入
S0199 TURNEDUP [1][2][4] 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 系统信息发现, 输入工具传输, 进程注入: Asynchronous Procedure Call

References

  1. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
  2. Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
  3. Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.
  4. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  5. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  6. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  1. Jacqueline O'Leary et al. 2017, September 20 Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware Retrieved. 2019/12/02
  2. Junnosuke Yagi 2017, March 07 Trojan.Stonedrill Retrieved. 2019/12/05
  3. Symantec 2019, March 27 Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. Retrieved. 2019/12/02
  4. Dragos Symantec 2019, March 27 Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. Retrieved. 2019/12/02 Magnallium Retrieved. 2019/10/27
  5. Andy Greenburg 2019, June 20 Iranian Hackers Launch a New US-Targeted Campaign as Tensions Mount Retrieved. 2020/01/03
  6. INSIKT GROUP. (2020, January 7). Iranian Cyber Response to Death of IRGC Head Would Likely Use Reported TTPs and Previous Access. Retrieved May 22, 2024.