Iranian APT33 Hackers Use Special Botnets for High-Value Targets in U.S.

An Iran-linked cyberespionage group tracked as APT33 has used obfuscated botnets as part of attacks aimed at high-value targets located in the United States, the Middle East and Asia, Trend Micro reported on Thursday.


APT33, which some experts believe has been active since at least 2013, is also known as Refined Kitten, Elfin, Magnallium and Holmium. It has targeted organizations in the government, research, aerospace, energy, oil, consulting, finance, telecoms, manufacturing and chemical sectors in the United States, Europe, the Middle East and Asia.


Researchers at Trend Micro have been monitoring the threat actor’s activities and noticed that while some attacks are “relatively noisy,” some high-value entities have been targeted using a dedicated infrastructure set up to make tracking more difficult.


This infrastructure has been used this year against several targets in the United States, including a private company offering services related to national security, a college, a university, and an entity related to the military. Several victims were also observed in the Middle East and Asia.


As part of these attacks, APT33 has used small botnets, each comprised of roughly a dozen bots (i.e. compromised machines on the victim’s network). Trend Micro says these bots are used to gain persistence on the network and the malware on these devices is basic — it allows attackers to download and run additional tools.


The attackers have set up several command and control (C&C) domains on cloud-hosted proxies that relay requests from bots to backend C&C servers hosted on shared web servers, which may also host thousands of legitimate domains.


These backends send bot data to aggrega ..

Support the originator by clicking the read the rest link below.