Delaware, USA – March 28, 2019 – Elfin group (aka APT33) conducts cyber espionage campaigns primarily focusing on organizations in Saudi Arabia and the United States. State-sponsored actors are interested not only in government organizations, but also in companies in the chemical, engineering, telecommunications, finance, and IT sectors. In addition to cyber espionage, the researchers suspect them of organizing destructive attacks using Shamoon and Fileerase wipers targeted at organizations in Saudi Arabia and the United Arab Emirates. Symantec’s experts published a report on the activities of the Elfin group, which described their tools and attacks over the past three years. The last detected campaign took place in February, shortly after the publication of information about the critical vulnerability in WinRAR. Adversaries used the exploit for CVE-2018-20250 vulnerability and sent spear-phishing emails with a twisted RAR file.
The APT group uses both custom backdoors and trojans, as well as various malware available for purchase on underground forums or publicly available hacking tools. Elfin activity is linked to the Iranian government and this threat actor is one of the most active in operations in the Middle East. In addition, they often use data stolen during successful attacks in subsequent campaigns and carry out supply chain attacks. The adversaries precisely monitor the appearance of publicly available exploits and try to use them in a fresh attack before a victim installs the necessary updates. To uncover such attacks, it is recommended to use the APT Framework rule pack, which detects signs of APT activity utilizing the methodology of Lockheed Martin Cyber Kill Chain: https://my.socprime.com/en/integrations/apt-framework-arcsight