An unceasing surveillance group otherwise known as APT33 group (Elfin) known for explicitly targeting on corporate networks has now set its sights by focusing on various organizations in Saudi Arabia and US by sending an assortment of malware in their system.
The hacker group which has reportedly compromised around 50 organizations in various countries since 2015, so far its attackers have bargained a wide range of targets including, governments alongside associations in the research, chemical, engineering, manufacturing, consulting, finance, telecoms, and several other sectors.
The cybercriminals scan the defenseless sites of a particular target and later use it for either command and control server or malware attacks if the site will be undermined effectively.
In spite of the fact that the gathering fundamentally focused on Saudi Arabia, with the 42% of attacks since 2016 and it’s compromised 18 organizations in the U.S alone in the course of recent years.
In any case, for this situation, Elfin focused on organization including engineering, chemical, research, energy consultancy, finance, IT, and healthcare sectors in the U.S alone.
Amid the attack, Elfin is said to have used an assortment of open source hacking instruments, custom malware, and commodity malware to compromise the diverse targets.
Elfin Adept utilizes various openly accessible hacking instruments, including:
- LaZagne (SecurityRisk.LaZagne): A login/password retrieval tool
- Mimikatz (Hacktool.Mimikatz): Tool designed to steal credentials
- Gpppassword: Tool used to obtain and decrypt Group Policy Preferences (GPP) passwords
- SniffPass (SniffPass): Tool designed to steal passwords by sniffing network traffic
Additionally, numerous commodity malware tools were utilized for these attacks and the malware accessible for purchase on the digital underground including:
- DarkComet (Backdoor.Breut)
- Quasar RAT (Trojan.Quasar)
- NanoCore (Trojan.Nancrat)
- Pupy RAT (Backdoor.Patpoopy)
- NetWeird (Trojan.Netweird.B)
Other than these, the custom malware family incorporates Notestuk (Backdoor.Notestuk), a malware in order to access the backdoor and assembling the data, Stonedrill (Trojan.Stonedrill), a custom malware equipped for opening a secondary passage on an infected PC and downloading the additional records.