Friday, December 6, 2024
HomeBotnetAPT33 Hackers Launching Malware via Obfuscated C2 Server to Hack Organizations in...

APT33 Hackers Launching Malware via Obfuscated C2 Server to Hack Organizations in the Middle East, the U.S., and Asia

Published on

SIEM as a Service

Researchers uncovered a new wave of a targeted cyberattack against the organizations in the Middle East, the U.S., and Asia using an obfuscated Malware with dozen live Command and Control (C&C) botnet servers.

A Well-known threat group is known as APT33 behind the attack, and the group has a record of aggressively attack the oil aviation, governments, engineering, manufacturing, consulting, finance, telecoms, and several other sectors.

A dozen Obfuscated APT33 Botnet C&C servers are using for this malware campaign, and these botnets believed to be comprising a small group up to a dozen infected computers.

- Advertisement - SIEM as a Service

Malware that is delivered in this campaign has limited capabilities include downloading additional malware to process further infection.

Compared to other APT groups, APT33 has very aggressive attack records in the past 2 years and they are mostly using spear phishing emails to initiate the attack against the targeted companies.

APT33 Infection Chain with VPN Services

Several Command and control domains are being used for the small botnet that comprised of dozens of bots, and the C2 domains behind this campaign are hosting in the cloud-hosted proxies.

“These proxies relay URL requests from the infected bots to backends at shared webservers that may host thousands of legitimate domains. The backends report bot data back to a data aggregator and bot control server that is on a dedicated IP address. “

Attackers using a private VPN network to connect the aggregator and issue a command to the bots via a VPN connection.

Using private VPN networks for infecting the target is very common nowadays. To hide their whereabouts activities, APT33 actors often using commercial VPN services during the maintenance of C&C Botnet servers and reconnaissance activities.

According to Trend Micro research, Though the connections from private VPN networks usch as OpenVPN still come from seemingly unrelated IP addresses around the world, this kind of traffic is actually easier to track. Once we know that an exit node is mainly being used by a particular actor, we can have a high degree of confidence about the attribution of the connections that are made from the IP addresses of the exit node.

In this current attack, APT33 using exclusive exit nodes and the researchers tracked down the several exit nodes that used by APT 33 includes few private VPN exit nodes.

These private VPN exit nodes are also used for reconnaissance of networks that are relevant to the supply chain of the oil industry.

With the help of a Private VPN network, APT33  access websites of penetration testing companies, webmail, websites on vulnerabilities, I also used to read hacker blogs and forums.

It’s highly recommended to check the existence of following IP addresses in the oil and gas industry computer networks.

5.135.120.57
5.135.199.25
31.7.62.48
51.77.11.46
54.36.73.108
54.37.48.172
54.38.124.150
88.150.221.107
91.134.203.59
109.169.89.103
109.200.24.114
137.74.80.220
137.74.157.84
185.122.56.232
185.125.204.57
185.175.138.173
188.165.119.138
193.70.71.112
195.154.41.72
213.32.113.159
216.244.93.137

Trend Micro researchers witnessed some of the above listed IP addresses doing reconnaissance on the network of an oil exploration company and military hospitals in the Middle East, as well as an oil company in the U.S.

Indicator of Compromise

File nameSHA256
MsdUpdate.exee954ff741baebb173ba45fbcfdea7499d00d8cfa2933b69f6cc0970b294f9ffd
MsdUpdate.exeb58a2ef01af65d32ca4ba555bd72931dc68728e6d96d8808afca029b4c75d31e
MsdUpdate.exea67461a0c14fc1528ad83b9bd874f53b7616cfed99656442fb4d9cdd7d09e449
MsdUpdate.exec303454efb21c0bf0df6fb6c2a14e401efeb57c1c574f63cdae74ef74a3b01f2
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...