ATK35

Presumed Origin: Iran < Back

Alias: APT 33, APT33, COBALT TRINITY, Elfin, HOLMIUM, MAGNALLIUM, PARISITE, Refined Kitten

ATK35 (aka: APT33 by Fireye) is an Iranian cyberespionage group operating since approximately 2013.

It is known to exploit fraudulent social media profiles to target individuals and organizations of interest through collecting credentials and infecting malware via an IRC-based variant of malware.

 

The breadth of the elaborate characters and fraudulent organizations created by ATK35 reveals that this adversary engages in a level of preparation and patience rarely seen with targeted intrusion efforts. This actor will also target third party service providers in order to compromise the organizations of interest.

 

ATK35 usually tries to access private emails and Facebook accounts, and sometimes establishes a foothold on victims' computers as a secondary focus.

 

The group's TTPs largely overlap with another group, ATK26 (aka Rocket Kitten), resulting in relationships that may not distinguish between the activities of the two groups.

 

References :

http://attack.mitre.org/wiki/Group/G0058

http://attack.mitre.org/wiki/Group/G0064

http://docs.google.com/spreadsheets/u/0/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml#

http://go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf

http://iranthreats.github.io/resources/macdownloader-macos-malware/

http://malpedia.caad.fkie.fraunhofer.de/actor/apt33

http://malpedia.caad.fkie.fraunhofer.de/actor/charming_kitten

http://malpedia.caad.fkie.fraunhofer.de/actor/magnallium

http://pastebin.com/SdYaPUwr

http://securelist.com/freezer-paper-around-free-meat/74503/

http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf

http://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html

http://www.reuters.com/article/iran-hackers/iranian-hackers-use-fake-facebook-accounts-to-spy-on-u-s-others-idUSL1N0OE2CU20140529

https://www.clearskysec.com/wp-content/uploads/2019/09/The-Kittens-Are-Back-in-Town-Charming-Kitten-2019.pdf

REFERENCES

Target sector

  • Aerospace
  • Aviation
  • Chemicals
  • Communication
  • Defense
  • Dissident
  • Education
  • Energy
  • Financial Services
  • Government and administration agencies
  • Healthcare
  • High-Tech
  • Manufacturing
  • Media
  • Research

Target countries

  • Iran, Islamic Republic Of
  • Iraq
  • Israel
  • Korea, Republic of
  • Saudi Arabia
  • United Kingdom Of Great Britain And Northern Ireland
  • United States Of America

Attack pattern

  • T1001 - Data Obfuscation
  • T1002 - Data Compressed
  • T1003 - Credential Dumping
  • T1020 - Automated Exfiltration
  • T1024 - Custom Cryptographic Protocol
  • T1027 - Obfuscated Files or Information
  • T1032 - Standard Cryptographic Protocol
  • T1040 - Network Sniffing
  • T1041 - Exfiltration Over C2 Channel
  • T1043 - Commonly Used Port
  • T1048 - Exfiltration Over Alternative Protocol
  • T1053 - Scheduled Task
  • T1060 - Registry Run Keys / Startup Folder
  • T1065 - Uncommonly Used Port
  • T1068 - Exploitation for Privilege Escalation
  • T1071 - Application Layer Protocol
  • T1071 - Standard Application Layer Protocol
  • T1078 - Valid Accounts
  • T1086 - PowerShell
  • T1105 - Remote File Copy
  • T1110 - Brute Force
  • T1119 - Automated Collection
  • T1125 - Video Capture
  • T1130 - Install Root Certificate
  • T1132 - Data Encoding
  • T1192 - Spearphishing Link
  • T1203 - Exploitation for Client Execution
  • T1204 - User Execution
  • T1480 - Execution Guardrails

Motivation

  • Espionage

Malwares

  • AutoIt backdoor
  • DownPaper
  • Mimikatz
  • NETWIRE
  • Nanocore
  • POWERBAND
  • POWERTON
  • Shamoon
  • TURNEDUP

Vulnerabilities

  • CVE-2018-20250