Halim Abouzeid

Detection of an APT33 Attack using RSA NetWitness

Blog Post created by Halim Abouzeid Employee on Nov 17, 2019

APT33 is a state-sponsored group suspected to be linked to Iran. It has been active since 2013 and has targeted organizations in the aviation and energy sectors mainly across the United States and the Middle East regions.

The group has recently been seen using private VPN networks with changing exit nodes to issue commands and collect data to and from their C&C servers.

 

In this post we will look at one of the malware files used within those campaigns and identify ways to detect it using RSA NetWitness Network and Endpoint.

 

The following is the file used in this article:

Filename

SHA256

MsdUpdate.exe

e954ff741baebb173ba45fbcfdea7499d00d8cfa2933b69f6cc0970b294f9ffd

 

This specific sample is rather basic in terms of behavior, but provides both persistence to the attacker, as well as the ability to deploy other malicious files.

 

 

 

Endpoint Visibility

By leveraging RSA NetWitness Endpoint, we can easily identify files and processes that have an elevated risk score due to their behavior. In the below screenshot, we can clearly see that the file “MsdUpdate.exe” stands out due to both its risk score and its reputation (identified as “Malicious”). In addition, we can see that the file is not signed by any valid or trusted certificate.

 

 

 

By drilling into the "MsdUpdate.exe" process, we can see in the next screenshot the different actions done by the process:

  1. It modifies the registry
  2. It communicates over the network with the “simshoshop.com” domain
  3. It copies itself to “C:\Users\<user>\Roaming\MSDUpdate\MsdUpdate.exe”

 

 

 

 

If we look in more details at the registry changes done by the file, as per the below screenshot, we can see that it modified the “Run” key to run itself at startup. This is done for persistence for the attacker to maintain access after a reboot of the machine.

 

 

 

 

Network Visibility

As seen in the previous step, we have been able to identify that the malicious file has communicated with the “simsoshop.com” domain. By drilling into this on the Network component we can look at more details regarding this network connection.

Based on the below screenshot we can see:

  • 4 different sessions separated exactly by 10 min each, which indicates a programmatic behavior typical of beaconing activity
  • All sessions are posting data to a file named “update.php”, which also suspiciously looks like beaconing

 

 

 

 

We can then reconstruct the payload of any of the above sessions to look at its content and confirm that this is indeed beaconing activity.

As seen below, we can confirm that the query is updating an entry with a payload in hexadecimal (most likely encoded).

 

 

 

 

This shows how RSA NetWitness Network and Endpoint can help in quickly detecting, identifying and investigating such attacks based on both activity on both the endpoint and the network,

 

 

 

 

Indicators of Compromise

The following are some additional indicators that can be used to detect the presence of this malware.

 

File Hashes

Filename

SHA256

MsdUpdate.exe

e954ff741baebb173ba45fbcfdea7499d00d8cfa2933b69f6cc0970b294f9ffd

MsdUpdate.exe

a67461a0c14fc1528ad83b9bd874f53b7616cfed99656442fb4d9cdd7d09e449

MsdUpdate.exe

c303454efb21c0bf0df6fb6c2a14e401efeb57c1c574f63cdae74ef74a3b01f2

MsdUpdate.exe

b58a2ef01af65d32ca4ba555bd72931dc68728e6d96d8808afca029b4c75d31e

 

 

Command & Control Domains

Domain

suncocity.com

service-explorer.com

zandelshop.com

service-norton.com

simsoshop.com

service-eset.com

zeverco.com

service-essential.com

qualitweb.com

update-symantec.com

 

 

IP Addresses

IP Address

5.135.120.57

137.74.80.220

5.135.199.25

137.74.157.84

31.7.62.48

185.122.56.232

51.77.11.46

185.125.204.57

54.36.73.108

185.175.138.173

54.37.48.172

188.165.119.138

54.38.124.150

193.70.71.112

88.150.221.107

195.154.41.72

91.134.203.59

213.32.113.159

109.169.89.103

216.244.93.137

109.200.24.114

 

Outcomes