APT33  (Back to overview)


Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.


Associated Families
win.darkcomet win.dropshot win.nanocore win.poshc2 win.pupy win.quasar_rat win.shapeshift win.turnedup win.netwire win.remcos

References
1 http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html
1 http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html
1 http://malware-traffic-analysis.net/2017/12/22/index.html
1 http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/
1 http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments
1 https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/
1 https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2
1 https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/
1 https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/
1 https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html
1 https://darkcomet.net
1 https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite
1 https://github.com/n1nj4sec/pupy
1 https://github.com/quasar/QuasarRAT/tree/master/Client
1 https://goggleheadedhacker.com/blog/post/11
1 https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/
1 https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/
1 https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/
1 https://news.drweb.ru/show/?i=13281&c=23
1 https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/
1 https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
3 https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/
1 https://secrary.com/ReversingMalware/RemcosRAT/
1 https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/
1 https://twitter.com/malwrhunterteam/status/789153556255342596
1 https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/
1 https://www.circl.lu/pub/tr-23/
1 https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html
5 https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
2 https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
1 https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html
1 https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/
1 https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-2/
1 https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
1 https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/
1 https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations
1 https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data
6 https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
1 https://www.vmray.com/cyber-security-blog/smart-memory-dumping/
1 https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/
1 https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/

Credits: MISP Project