Rewterz Threat Alert – APT 33 Resurfaces with Fresh Attacks – IoCs

Severity

High

Analysis Summary

• APT33 was noticed to send emails with embedded URLs for malicious (.doc) and (.hta) files.
• The main custom AutoIt backdoor gets downloaded post exploitation to start contacting their POWERTON C&C infrastructure.
• The (.doc) files are embedded with highly obfuscated macros.
• The (.hta) files are displaying a decoy document

Impact

Security Bypass

Indicators of Compromise

IP(s) / Hostname(s)

• 91[.]235[.]116[.]212
• 185[.]217[.]95[.]26
• 37[.]220[.]6[.]115
• 103[.]236[.]149[.]100
• 213[.]227[.]154[.]22
• 91[.]216[.]163[.]90
• 91[.]216[.]163[.]90
• 91[.]216[.]163[.]90
• 162[.]255[.]119[.]58
• 162[.]255[.]119[.]191

Filename

• Instruction.doc
• CEA.hta
• Version.exe
• Version.7z

Malware Hash (MD5/SHA1/SH256)

• 878827a207b86c8cfdba7c64e897198f
• a0567cb99e6ac9b17001c2a07e6f0ea4
• 3979c1c1751b6671af294bbffa161a22
• b5d943da309ff49a3c4f261046bc389b
• 16ecbf1e31675ee56ae315cecf198b33
• d922ac5490c9446472b2ce5ec6a09682
• 59c5ceb700bf6aedccf36042af379c0b
• 54fbb2c0756579b20b5b45e652adf412
• 3871aac486ba79215f2155f32d581dc2
• 2cd286711151efb61a15e2e11736d7d2
• c38069d0bc79acdc28af3820c1123e53
• 5a66480e100d4f14e12fceb60e91371d
• 4047e238bbcec147f8b97d849ef40ce5
• e2d60bb6e3e67591e13b6a8178d89736
• 974b999186ff434bee3ab6d61411731f
• 53ae59ed03fa5df3bf738bc0775a91d9
• 7f4f7e307a11f121d8659ca98bc8ba56
• bd80fcf5e70a0677ba94b3f7c011440e
• 4aca006b9afe85b1f11314b39ee270f7
• f5ac89d406e698e169ba34fea59a780e
• 99649d58c0d502b2dfada02124b1504c
• 4047e238bbcec147f8b97d849ef40ce5
• 46038aa5b21b940099b0db413fa62687

Remediation

• Scan these IOC’s in your existing environment.
• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the link/attachments sent by unknown senders.