Elfin Hacking Group Targets Multiple U.S. and Saudi Arabian Firms

by chebbi abir

An Iran-linked cyber-espionage group that has been found targeting critical infrastructure, energy and military sectors in Saudi Arabia and the United States two years ago continues targeting organizations in the two nations, Symantec reported on Wednesday.

Widely known as APT33, which Symantec calls Elfin, the cyber-espionage group has been active since as early as late 2015 and targeted a wide range of organizations, including government, research, chemical, engineering, manufacturing, consulting, finance, and telecommunications in the Middle East and other parts of the world.

Symantec started monitoring Elfin’s attacks since the beginning of 2016 and found that the group has launched a heavily targeted campaign against multiple organizations with 42% most recent attacks observed against Saudi Arabia and 34% against the United States.

Elfin targeted a total of 18 American organizations in the engineering, chemical, research, energy consultancy, finance, IT and healthcare sectors over the past three years, including a number of Fortune 500 companies.

“Some of these U.S. organizations may have been targeted by Elfin for the purpose of mounting supply chain attacks,” Symantec said in its blog post. “In one instance, a large U.S. company was attacked in the same month a Middle Eastern company it co-owns was also compromised.”


Hackers Still Exploiting Recently Discovered WinRAR Flaw

The APT33 group has also been exploiting a recently disclosed, critical vulnerability (CVE-2018-20250) in the widely used WinRAR file compression application that lets attackers silently extract malicious files from a harmless archive file to a Windows Startup folder, eventually allowing them to execute arbitrary code on the targeted computer.

The vulnerability was already patched by the WinRAR team last month but was found actively exploited by various hacking groups and individual hackers immediately after its details and proof-of-concept (PoC) exploit code went public.

In the APT33 campaign, the WinRAR exploit was used against a targeted organization in the chemical sector in Saudi Arabia, where two of its users received a file via a spear-phishing email that attempted to exploit the WinRAR vulnerability.

Though Symantec is not the only firm that spotted attacks exploiting the WinRAR flaw, security firm FireEye also identified four separate campaigns that have been found exploiting the WinRAR vulnerability to install password stealers, trojans and other malicious software.

What’s more? APT33 has deployed a wide range of tools in its custom malware toolkit including the Notestuk backdoor (aka TURNEDUP), the Stonedrill Trojan and a malware backdoor written in AutoIt.[…]
To read the original article:



Interdit de copier  ce contenu