Skip to content

G0064 APT33

APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. 3 1

Item Value
ID G0064
Associated Names HOLMIUM, Elfin
Version 1.4
Created 18 April 2018
Last Modified 08 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
HOLMIUM 2
Elfin 4

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols APT33 has used HTTP for command and control.4
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility APT33 has used WinRAR to compress data prior to exfil.4
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder APT33 has deployed a tool known as DarkComet to the Startup folder of a victim, and used Registry run keys to gain persistence.42
enterprise T1110 Brute Force -
enterprise T1110.003 Password Spraying APT33 has used password spraying to gain access to target systems.52
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell APT33 has utilized PowerShell to download files from the C2 server and run various scripts. 42
enterprise T1059.005 Visual Basic APT33 has used VBScript to initiate the delivery of payloads.2
enterprise T1555 Credentials from Password Stores APT33 has used a variety of publicly available tools like LaZagne to gather credentials.45
enterprise T1555.003 Credentials from Web Browsers APT33 has used a variety of publicly available tools like LaZagne to gather credentials.45
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding APT33 has used base64 to encode command and control traffic.5
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography APT33 has used AES for encryption of command and control traffic.5
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription APT33 has attempted to use WMI event subscriptions to establish persistence on compromised hosts.2
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol APT33 has used FTP to exfiltrate files (separately from the C2 channel).4
enterprise T1203 Exploitation for Client Execution APT33 has attempted to exploit a known vulnerability in WinRAR (CVE-2018-20250), and attempted to gain remote code execution via a security bypass vulnerability (CVE-2017-11774).42
enterprise T1068 Exploitation for Privilege Escalation APT33 has used a publicly available exploit for CVE-2017-0213 to escalate privileges on a local system.5
enterprise T1105 Ingress Tool Transfer APT33 has downloaded additional files and programs from its C2 server.42
enterprise T1040 Network Sniffing APT33 has used SniffPass to collect credentials by sniffing network traffic.4
enterprise T1571 Non-Standard Port APT33 has used HTTP over TCP ports 808 and 880 for command and control.4
enterprise T1027 Obfuscated Files or Information APT33 has used base64 to encode payloads.5
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool APT33 has obtained and leveraged publicly-available tools for early intrusion activities.54
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory APT33 has used a variety of publicly available tools like LaZagne, Mimikatz, and ProcDump to dump credentials.45
enterprise T1003.004 LSA Secrets APT33 has used a variety of publicly available tools like LaZagne to gather credentials.45
enterprise T1003.005 Cached Domain Credentials APT33 has used a variety of publicly available tools like LaZagne to gather credentials.45
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment APT33 has sent spearphishing e-mails with archive attachments.2
enterprise T1566.002 Spearphishing Link APT33 has sent spearphishing emails containing links to .hta files.34
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task APT33 has created a scheduled task to execute a .vbe file multiple times a day.4
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files APT33 has used a variety of publicly available tools like LaZagne to gather credentials.45
enterprise T1552.006 Group Policy Preferences APT33 has used a variety of publicly available tools like Gpppassword to gather credentials.45
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link APT33 has lured users to click links to malicious HTML applications delivered via spearphishing emails.34
enterprise T1204.002 Malicious File APT33 has used malicious e-mail attachments to lure victims into executing malware.2
enterprise T1078 Valid Accounts APT33 has used valid accounts for initial access and privilege escalation.15
enterprise T1078.004 Cloud Accounts APT33 has used compromised Office 365 accounts in tandem with Ruler in an attempt to gain control of endpoints.2
ics T0852 Screen Capture APT33 utilize backdoors capable of capturing screenshots once installed on a system. 67
ics T0853 Scripting APT33 utilized PowerShell scripts to establish command and control and install files for execution. 10 9
ics T0865 Spearphishing Attachment APT33 sent spear phishing emails containing links to HTML application files, which were embedded with malicious code. 6 APT33 has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies. 8

Software

ID Name References Techniques
S0129 AutoIt backdoor 4 Bypass User Account Control:Abuse Elevation Control Mechanism PowerShell:Command and Scripting Interpreter Standard Encoding:Data Encoding File and Directory Discovery
S0363 Empire 54 Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation SID-History Injection:Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Command and Scripting Interpreter Domain Account:Create Account Local Account:Create Account Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Code Repository:Exfiltration Over Web Service Exfiltration to Cloud Storage:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Search Order Hijacking:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0095 ftp 4 Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Lateral Tool Transfer
S0349 LaZagne 4 Keychain:Credentials from Password Stores Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores /etc/passwd and /etc/shadow:OS Credential Dumping LSA Secrets:OS Credential Dumping LSASS Memory:OS Credential Dumping Proc Filesystem:OS Credential Dumping Cached Domain Credentials:OS Credential Dumping Credentials In Files:Unsecured Credentials
S0002 Mimikatz 4 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0336 NanoCore 1 Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Visual Basic:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel Disable or Modify Tools:Impair Defenses Disable or Modify System Firewall:Impair Defenses Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information System Network Configuration Discovery Video Capture
S0039 Net 4 Domain Account:Account Discovery Local Account:Account Discovery Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0198 NETWIRE 31 Web Protocols:Application Layer Protocol Application Window Discovery Archive Collected Data Archive via Custom Method:Archive Collected Data Automated Collection XDG Autostart Entries:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Login Items:Boot or Logon Autostart Execution Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Unix Shell:Command and Scripting Interpreter Launch Agent:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Credentials from Password Stores Local Data Staging:Data Staged Encrypted Channel Symmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts Ingress Tool Transfer Keylogging:Input Capture Invalid Code Signature:Masquerading Match Legitimate Name or Location:Masquerading Modify Registry Native API Non-Application Layer Protocol Software Packing:Obfuscated Files or Information Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Spearphishing Attachment:Phishing Spearphishing Link:Phishing Process Discovery Process Injection Process Hollowing:Process Injection Proxy Scheduled Task:Scheduled Task/Job Cron:Scheduled Task/Job Screen Capture System Information Discovery System Network Configuration Discovery System Network Connections Discovery Malicious File:User Execution Malicious Link:User Execution Web Service
S0378 PoshC2 54 Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation Create Process with Token:Access Token Manipulation Local Account:Account Discovery Domain Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Automated Collection Brute Force Credentials from Password Stores Domain Trust Discovery Windows Management Instrumentation Event Subscription:Event Triggered Execution Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Keylogging:Input Capture Network Service Discovery Network Sniffing LSASS Memory:OS Credential Dumping Password Policy Discovery Local Groups:Permission Groups Discovery Process Injection Proxy System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Credentials In Files:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Windows Management Instrumentation
S0194 PowerSploit 5 Access Token Manipulation Local Account:Account Discovery Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Windows Credential Manager:Credentials from Password Stores Data from Local System Domain Trust Discovery DLL Search Order Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Keylogging:Input Capture Indicator Removal from Tools:Obfuscated Files or Information Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Reflective Code Loading Scheduled Task:Scheduled Task/Job Screen Capture Kerberoasting:Steal or Forge Kerberos Tickets Credentials in Registry:Unsecured Credentials Group Policy Preferences:Unsecured Credentials Windows Management Instrumentation
S0371 POWERTON 52 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel Windows Management Instrumentation Event Subscription:Event Triggered Execution Security Account Manager:OS Credential Dumping
S0192 Pupy 5 Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Python:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Local Account:Create Account Domain Account:Create Account Systemd Service:Create or Modify System Process Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery Clear Windows Event Logs:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Network Service Discovery Network Share Discovery LSASS Memory:OS Credential Dumping LSA Secrets:OS Credential Dumping Cached Domain Credentials:OS Credential Dumping Process Discovery Dynamic-link Library Injection:Process Injection Remote Desktop Protocol:Remote Services Screen Capture System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services Credentials In Files:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Video Capture System Checks:Virtualization/Sandbox Evasion
S0358 Ruler 52 Email Account:Account Discovery Outlook Rules:Office Application Startup Outlook Forms:Office Application Startup Outlook Home Page:Office Application Startup
S0380 StoneDrill 3 Visual Basic:Command and Scripting Interpreter Data Destruction Disk Content Wipe:Disk Wipe Disk Structure Wipe:Disk Wipe File Deletion:Indicator Removal Ingress Tool Transfer Obfuscated Files or Information Process Injection Query Registry Screen Capture Security Software Discovery:Software Discovery System Information Discovery System Time Discovery Virtualization/Sandbox Evasion Windows Management Instrumentation
S0199 TURNEDUP 314 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Ingress Tool Transfer Asynchronous Procedure Call:Process Injection Screen Capture System Information Discovery

References

  1. Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018. 

  2. Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020. 

  3. O’Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018. 

  4. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. 

  5. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. 

  6. Jacqueline O’Leary et al. 2017, September 20 Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware Retrieved. 2019/12/02  

  7. Junnosuke Yagi 2017, March 07 Trojan.Stonedrill Retrieved. 2019/12/05  

  8. Andy Greenburg 2019, June 20 Iranian Hackers Launch a New US-Targeted Campaign as Tensions Mount Retrieved. 2020/01/03  

  9. Dragos Symantec 2019, March 27 Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. Retrieved. 2019/12/02 Magnallium Retrieved. 2019/10/27  

  10. Symantec 2019, March 27 Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. Retrieved. 2019/12/02