Bringing cybersecurity globally to critical and complex key activities
Alias: APT 33, APT33, COBALT TRINITY, Elfin, HOLMIUM, MAGNALLIUM, PARISITE, Refined Kitten
ATK35 (aka: APT33 by Fireye) is an Iranian cyberespionage group operating since approximately 2013.
It is known to exploit fraudulent social media profiles to target individuals and organizations of interest through collecting credentials and infecting malware via an IRC-based variant of malware.
The breadth of the elaborate characters and fraudulent organizations created by ATK35 reveals that this adversary engages in a level of preparation and patience rarely seen with targeted intrusion efforts. This actor will also target third party service providers in order to compromise the organizations of interest.
ATK35 usually tries to access private emails and Facebook accounts, and sometimes establishes a foothold on victims' computers as a secondary focus.
The group's TTPs largely overlap with another group, ATK26 (aka Rocket Kitten), resulting in relationships that may not distinguish between the activities of the two groups.
http://attack.mitre.org/wiki/Group/G0058
http://attack.mitre.org/wiki/Group/G0064
http://docs.google.com/spreadsheets/u/0/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml#
http://go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf
http://iranthreats.github.io/resources/macdownloader-macos-malware/
http://malpedia.caad.fkie.fraunhofer.de/actor/apt33
http://malpedia.caad.fkie.fraunhofer.de/actor/charming_kitten
http://malpedia.caad.fkie.fraunhofer.de/actor/magnallium
http://securelist.com/freezer-paper-around-free-meat/74503/
http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf
http://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
REFERENCES