Threats Feed|APT33|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date18/11/2019

Credential and Information Theft: APT33's Job Scam Campaign

  • Actor Motivations: Espionage
  • Attack Vectors: Backdoor,Phishing
  • Attack Complexity: Low
  • Threat Risk: Low Impact/High Probability

Threat Overview

Iranian APT33 has been detected running a phishing campaign that employs fake job scams to lure victims. The campaign aims for credential theft, information theft, and unauthorized remote access. While the targeted sectors and countries are not specified, the indicators of compromise involve domain names like "www[.]global-careers[.]org" and filenames such as "JobDescription.zip" and "JobDescription.vbe".

Reference and Credit: Rewterz - November 2019

Rewterz Threat Alert – Iranian APT Uses Job Scams to Lure Targets

Extracted IOCs

  • fineksus[.]com
  • global-careers[.]org
  • dyn-intl.world-careers[.]org
  • raytheonjobs.serveblog[.]net
  • www.global-careers[.]org
  • 0efb36b6dd3493b7869e8da731eff77d
  • 24ccad79498d240f19bfd2fc144b875e
  • 673510dd92eb812d70b017c27385d389
  • 7c295c528fea9385a2e3165b683d1a46
  • af707c4f8e40f529e8a342259ee9c8ae
  • 14985711a5aa14c6cded0f21db544706ba845de89866e06c59a9151e7dafe19f
  • 6d76db96a544700a1fdcac810c7429aa64c22f249895d0a6e58d44809350fa69
  • 92e66acd62dfb1632f6e4ccb90a343cb8b8e2f4fb7c9bfa9ae0745db0748223b
  • ce0f7048903c6c2ee5357e8678247ae19666e91058060a3d38e09e49a94047b7
  • e2b5900211088daf754d900ff7b229defe72bf6ae21efb53c966113a2b2b16b3
  • 208[.]91.197.91
  • hxxp://fineksus[.]com/delp.exe
download

Tip: 17 related IOCs (1 IP, 5 domain, 1 URL, 0 email, 10 file hash) to this threat have been found.

About Affiliation
APT33
View APT33's Insights