Shamoon-Slingers APT33 in Secret New Operations

Written by

Security researchers are warning oil and aviation industry organizations to be on their guard after spotting a notorious Iranian APT group using private VPNs to keep its activity hidden.

APT33 has been linked to the infamous Shamoon destructive malware which knocked out tens of thousands of PCs at Saudi Aramco in 2012 and has been deployed across Europe and the Middle East since.

Now Trend Micro has observed the group using a dozen command and control (C&C) servers in a highly obfuscated attack targeting a narrow group of organizations in the US, Asia and Middle East.

The group has been ramping up operations since 2018 with attacks on a UK and European oil company as well as supply chain organizations, the vendor claimed in a new blog post.

Already infected this year are a private American company that offers national security-related services, US universities, a military-linked US organization and several victims in the Middle East and Asia.

Although the malware linked to the small botnets used by the group is limited mainly to downloading and running additional malware, APT33 is going to great lengths to stay hidden.

“The C&C domains are usually hosted on cloud hosted proxies. These proxies relay URL requests from the infected bots to backends at shared webservers that may host thousands of legitimate domains,” said Trend Micro.

“The backends report bot data back to a data aggregator and bot control server that is on a dedicated IP address. The APT33 actors connect to these aggregators via a private VPN network with exit nodes that are changed frequently. The APT33 actors then issue commands to the bots and collect data from the bots using these VPN connections.”

The setting up of private VPNs is easily done via open source software such as OpenVPN, plus rented servers. However, by using this technique, the group’s efforts have actually become easier to track once the researchers discovered which exit nodes the VPNs are using.

They’re apparently being used to hide reconnaissance of possible future victims including oil company suppliers, and other research.

“APT33 used its private VPN network to access websites of penetration testing companies, webmail, websites on vulnerabilities, and websites related to cryptocurrencies, as well as to read hacker blogs and forums,” said Trend Micro. “APT33 also has a clear interest in websites that specialize in the recruitment of employees in the oil and gas industry.”

The vendor urged regular patching, employee security training, least privilege access policies and multi-layered protection for oil and utilities firms.

What’s hot on Infosecurity Magazine?