APT33 is a state-sponsored group suspected to be linked to Iran. It has been active since 2013 and has targeted organizations in the aviation and energy sectors mainly across the United States and the Middle East regions.
The group has recently been seen using private VPN networks with changing exit nodes to issue commands and collect data to and from their C&C servers.
In this post we will look at one of the malware files used within those campaigns and identify ways to detect it using RSA NetWitness Network and Endpoint.
The following is the file used in this article:
This specific sample is rather basic in terms of behavior, but provides both persistence to the attacker, as well as the ability to deploy other malicious files.
By leveraging RSA NetWitness Endpoint, we can easily identify files and processes that have an elevated risk score due to their behavior. In the below screenshot, we can clearly see that the file “MsdUpdate.exe” stands out due to both its risk score and its reputation (identified as “Malicious”). In addition, we can see that the file is not signed by any valid or trusted certificate.
By drilling into the "MsdUpdate.exe" process, we can see in the next screenshot the different actions done by the process:
- It modifies the registry
- It communicates over the network with the “simshoshop.com” domain
- It copies itself to “C:\Users\<user>\Roaming\MSDUpdate\MsdUpdate.exe”
If we look in more details at the registry changes done by the file, as per the below screenshot, we can see that it modified the “Run” key to run itself at startup. This is done for persistence for the attacker to maintain access after a reboot of the machine.
As seen in the previous step, we have been able to identify that the malicious file has communicated with the “simsoshop.com” domain. By drilling into this on the Network component we can look at more details regarding this network connection.
Based on the below screenshot we can see:
- 4 different sessions separated exactly by 10 min each, which indicates a programmatic behavior typical of beaconing activity
- All sessions are posting data to a file named “update.php”, which also suspiciously looks like beaconing
We can then reconstruct the payload of any of the above sessions to look at its content and confirm that this is indeed beaconing activity.
As seen below, we can confirm that the query is updating an entry with a payload in hexadecimal (most likely encoded).
This shows how RSA NetWitness Network and Endpoint can help in quickly detecting, identifying and investigating such attacks based on both activity on both the endpoint and the network,
Indicators of Compromise
The following are some additional indicators that can be used to detect the presence of this malware.
Command & Control Domains