Security researchers have warned of a new wave of attacks on Middle Eastern companies from APT33, a group with links to Iran.
Known as “Elfin” and “Refined Kitten,” the group has been in operation since 2015, using a combination of custom malware, commodity malware, and open-source hacking tools.
In a new wave of attacks in February, the group tried to exploit a known vulnerability (CVE-2018-20250) in popular file archiving utility WinRAR. Having gone undetected for nearly two decades, the bug is particularly dangerous as there’s no automatic update mechanism for WinRAR, which is installed on hundreds of millions of machines around the globe.
“If successfully exploited on an unpatched computer, the vulnerability could permit an attacker to install any file on the computer, which effectively permits code execution on the targeted computer,” Symantec explained.
The Elfin group usually begins its attacks with a classic spear-phishing email, and then proceeds to download and use a combination of custom and widely available malware/tools. These include the Autolt backdoor; RATs such as Remcos, DarkComet and Quasar; and credential stealers like Mimikatz and SniffPass.
Saudi Arabian targets account for 42% of total attacks since 2016, but the US is a close second with 34% before a big drop off with Belgium (6%) in third.
That WinRAR vulnerability, discovered in February, has also been exploited in multiple campaigns spotted by FireEye.
These include one using a phishing email impersonating an educational accreditation council; an attack on an Israeli military company; and a possible attack against an individual in Ukraine using a PDF letter from former president Viktor Yanukovych and the Empire backdoor as primary payload.
“We have seen how various threat actors are abusing the recently disclosed WinRAR vulnerability using customized decoys and payloads, and by using different propagation techniques such as email and URL,” warned FireEye research scientist Dileep Kumar Jallepalli.
“Because of the huge WinRAR customer-base, lack of auto-update feature and the ease of exploitation of this vulnerability, we believe this will be used by more threat actors in the upcoming days.”