APT33 Utilizes Own VPN Network

Delaware, USA – November 14, 2019 – One of the most sophisticated Iranian APT groups uses their own VPN network to conduct reconnaissance and connect to the command-and-control infrastructure. In theory, this should have made the detection and attribution of attacks much more difficult, but in practice, Trend Micro researchers could track exit nodes and track malicious activity conducted through them. Thanks to these findings, experts identified four levels of group infrastructure: VPN layer, Bot Controller layer, C&C Backend layer, and Proxy layer. During operations, APT33 uses multiple botnets of simple malware on a small number of infected systems (up to a dozen machines), each of which is managed by the separate C&C server. Adversaries host C&C domains on cloud-hosted proxies that relay URL requests from the malware to the C&C Backend layer. The backends transfer data to the Bot Controller layer where group members collect it and issue commands to the bots connecting to this layer via their personal VPN network.

Attackers often change exit nodes and use them not only for reconnaissance but also to visit hacker blogs and forums. Researchers have determined that the main targets of the group’s recent campaigns are located in the United States, Asia, and the Middle East; APT33 are interested in the military and oil industry. The group is notorious for not only cyber espionage campaigns but also devastating attacks using the Shamoon wiper. You can learn more about the APT33 group and the techniques it uses on Threat Detection Marketplace: https://tdm.socprime.com/att-ck/