Shamoon-Slingers APT33 in Secret New Operations

Security researchers are warning oil and aviation industry organizations to be on their guard after spotting a notorious Iranian APT group using private VPNs to keep its activity hidden.

APT33 has been linked to the infamous Shamoon destructive malware which knocked out tens of thousands of PCs at Saudi Aramco in 2012 and has been deployed across Europe and the Middle East since.

Now Trend Micro has observed the group using a dozen command and control (C&C) servers in a highly obfuscated attack targeting a narrow group of organizations in the US, Asia and Middle East.

The group has been ramping up operations since 2018 with attacks on a UK and European oil company as well as supply chain organizations, the vendor claimed in a new blog post.

Already infected this year are a private American company that offers national security-related services, US universities, a military-linked US organization and several victims in the Middle East and Asia.

Although the malware linked to the small botnets used by the group is limited mainly to downloading and running additional malware, APT33 is going to great lengths to stay hidden.

“The C&C domains are usually hosted on cloud hosted proxies. These proxies relay URL requests from the infected bots to backends at shared webservers that may host thousands of legitimate domains,” said Trend Micro.

“The backends report bot data back to a data aggregator and bot control server that is on a dedicated IP address. The APT33 actors connect to these aggrega ..

Support the originator by clicking the read the rest link below.