Rewterz Threat Alert – Android Malware – IMobile-VERIFY Leverages Financially Motivated Cyber Attacks
November 15, 2019Rewterz Threat Alert – Microsoft Office 365 Admins Targeted by Ongoing Phishing Campaign
November 18, 2019Severity
High
Analysis Summary
The threat group regularly referred to as APT33 is known to target the oil and aviation industries aggressively. This threat group has been reported on consistently for years, but our recent findings show that the group has been using about a dozen live Command and Control (C&C) servers for extremely narrow targeting. The group puts up multiple layers of obfuscation to run these C&C servers in extremely targeted malware campaigns against organizations in the Middle East, the U.S., and Asia.
APT33 has also been executing more aggressive attacks over the past few years. For example, for at least two years the group used the private website of a high-ranking European politician (a member of her country’s defense committee) to send spear phishing emails to companies that are part of the supply chain of oil products. Targets included a water facility that is used by the U.S. army for the potable water supply of one of its military bases.
These attacks have likely resulted in concrete infections in the oil industry. For example, in the fall of 2018, we observed communications between a U.K.-based oil company with computer servers in the U.K. and India and an APT33 C&C server. Another European oil company suffered from an APT33 related malware infection on one of their servers in India for at least 3 weeks in November and December 2018. There were several other companies in oil supply chains that had been compromised in the fall of 2018 as well. These compromises indicate a big risk to companies in the oil industry, as APT33 is known to use destructive malware.
Impact
Exposure of sensitive information.
Indicators of Compromise
Filename
MsdUpdate.exe
From Email
- recruitment@alsalam.aero
- recruitment@alsalam.aero
- careers@ngaaksa.com
- jobs@ngaaksa.ga
- jobs@dyn-intl.ga
- jobs@dyn-intl.ga
- jobs@mail.dyn-corp.ga
- careers@sipchem.ga
- jobs@sipchem.ga
- jobs@sipchem.ga
- careers@aramcojobs.ga
- careers@aramcojobs.ga
- careers@aramcojobs.ga
- jobs@samref.ga
SH256
- e954ff741baebb173ba45fbcfdea7499d00d8cfa2933b69f6cc0970b294f9ffd
- b58a2ef01af65d32ca4ba555bd72931dc68728e6d96d8808afca029b4c75d31e
- a67461a0c14fc1528ad83b9bd874f53b7616cfed99656442fb4d9cdd7d09e449
- c303454efb21c0bf0df6fb6c2a14e401efeb57c1c574f63cdae74ef74a3b01f2
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.