APT33 Elevates C2 Capabilities with New PowerShell Malware
- Actor Motivations: Exfiltration
- Attack Vectors: OS command injection,Malware
- Attack Complexity: Medium
- Threat Risk: Low Impact/Low Probability
Threat Overview
The article provides a detailed analysis of a sophisticated PowerShell malware linked to APT33, a notable cyber threat group. It examines a specific file associated with this malware, highlighting its capabilities and behaviors. The malware includes a variety of functions such as privilege escalation, data encryption and decryption, file uploading and downloading, and a mechanism for capturing screenshots. It also features a complex command structure for interacting with a control server, and implements persistence methods through WMI event filters and registry modifications. The analysis contributes to the broader understanding of APT33's tactics and tools.
Extracted IOCs
- backupaccount[.]net
- 985797eb1a75f297359bf52aa7c27715
- 2c2cc6c42c6ccf74d96e5913277537679ec20fba
- 6bea9a7c9ded41afbebb72a11a1868345026d8e46d08b89577f30b50f4929e85
Tip: 4 related IOCs (0 IP, 1 domain, 0 URL, 0 email, 3 file hash) to this threat have been found.
Overlaps
Source: Hyas - September 2019
Detection (one case): backupaccount[.]net
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.