This blog post continues our ongoing research into Iranian threat actor groups, in particular provides some updates on APT33. APT33 has been operating since at least 2013, and this blog provides an update on some of their most recent activity.
Following the collapse of the Iran nuclear deal, concerns over Iranian threat actor groups have increased. Interest in these groups has increased following recent events including the assassination of a top military official and the subsequent downing of a civilian jetliner near Tehran in early January 2020. More recently, the Iranian government issued an arrest warrant for Donald Trump. However, as Covid-19 dominated the news and threat actors began using it en masse to defraud victims, public attention toward Iranian threat groups has diminished.
APT33 (also referred to as Refined Kitten, Magnallium, and Holmium) is an Iranian threat group known to target a wide range of industry sectors in multiple countries. Attacks have been documented against companies operating in the US in the aviation and petrochemical industries as well as military contractors. APT33 attacks are generally multi-staged attacks utilizing weaponized documents, known vulnerabilities in productivity software such as CVE-2017-11774, as well as PowerShell backdoors. These attacks are often launched from a domain resembling a legitimate business service. An example domain would be customermgmt[.]net, which was revealed by US Cyber Command on July 2, 2019 to be associated with APT33.
USCYBERCOM has discovered active malicious use of CVE-2017-11774 and recommends immediate #patching. Malware is currently delivered from: 'hxxps://customermgmt.net/page/macrocosm' #cybersecurity #infosec
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) July 2, 2019
Another recent example is from our integration partner ThreatConnect, who have similarly identified some recent suspected registrations on their threat roundup report. 
Typical APT33 domain registrations continue despite the global uptick in Coronavirus-themed attacks. HYAS continues to monitor suspected APT33 activity on behalf of our customers. We examined suspicious registrations over a 90-day period and identified a number of domains that were registered using TTP’s that we had previously associated with APT33.
If you'd like to learn more about our threat intelligence research, or see how our unique adversary infrastructure expertise can proactively keep your organization protected, please schedule a demo with us!