APT group Elfin switches from data destruction to data stealing via WinRAR vulnerability

Image: IDGNS

Iranian-linked hacker group switches techniques from Shamoon wiper attacks to WinRAR exploits



Read More:

28 March 2019 | 0

Elfin (aka APT33), a
hacker group affiliated with the Iranian government, is described by
Symantec as “one of the most active groups currently operating in the
Middle East.” They have been linked with a string of attacks on U.S. and
Saudi Arabian companies, particularly in the aerospace and energy

However, where previously the group mainly conducted data destruction-based attacks, Symantec is now reporting
that it has switched its modus operandi to focus on spear phishing and
known vulnerabilities in common software. The group’s targets remain
largely the same, their goals seem to have changed.

Instead of using wipers, Symantec reports that the group’s recent
attacks are aimed at data exfiltration using vulnerabilities in a common
piece of software. “The main point of entry in recent attacks has been
spear-phishing emails capable of delivering malware to the recipient’s
computer,” says Dick O’Brien, researcher at Symantec’s Security
Response. “The group has also attempted to exploit the recently patched
WinRAR vulnerability attacks.”




After sending phishing emails to targeted companies, the victim is
encouraged to download a file, JobDetails.rar, which then tries to
exploit vulnerability CVE-2018-20250 in WinRAR. A successful infection on an unpatched system allows an attacker to install any file on the computer.

What is Elfin and what do they want?

According to FireEye,
Elfin/APT33 has been around since roughly 2013 but rose to prominence
in late 2016 after using targeted phishing attacks and domain-spoofing
to deliver the Shamoon wiper malware. The group has been tied to Iran,
given the targeting of Saudi and U.S. companies and the fact the group
leverages hacker tools and DNS servers used by other suspected Iranian
threat groups, including Shamoon, StoneDrill, Dropshot, Turnedup and
others. FireEye has noted that APT33’s activities suggests that they
were operating in a time zone close that coincides with Iran’s Daylight

“Based on its tactics and targets, our assessment is that Elfin is a
state-sponsored espionage group,” says O’Brien. “Given the nature of the
group and its targets, we can only speculate that the information in
question is likely to be of a strategic or economic interest to Elfin’s

“Your organization needs to adopt a multi-layered approach to security to best ensure that any point of failure is mitigated by other defensive practices,” says O’Brien. “This should include not only regularly patching vulnerabilities, but also employing multiple, overlapping, and mutually supportive defensive systems to guard against single point failures in any specific technology or protection method.”

The group generally
focuses on aerospace [both defense and commercial] and energy companies
located in the U.S. – of which 18 have been attacked over the past three
years — Saudi Arabia and South Korea. It has also hit engineering,
chemical, research and healthcare organizations in countries across
Europe and MENA.

Traditionally, the group scans for vulnerable websites and to
identify potential targets, either for attacks or creation of command
and control (C&C) infrastructure. Malware associated with the group
include Shamoon 2.0 and StoneDrill, both of which are generally used in data destruction/wiper attacks.

Elfin moves on from Shamoon

Elfin has long been linked Shamoon, which was first used to conduct a
sabotage attack on Saudi Aramco in 2012 but has been regularly used by
Iran-linked APTs since 2016. While the group is not thought to be the
creators of Shamoon, it is responsible for an uptick in its use using a modified version, sometimes known at Shamoon 2.0, since 2016. Italian oil services firm Saipem (of which Saudi Aramco is a customer) was hit with a Shamoon attack in December 2018 that Symantec had linked to Elfin.

The group has previously registered domains impersonating many
companies in its targeted industries including Boeing, Alsalam Aircraft
Company, Northrop Grumman and Vinnell, and featured recruitment-themed

“Elfin was first linked to Shamoon when a Shamoon victim in Saudi
Arabia was also attacked by Elfin, and infected with the Stonedrill
malware,” says O’Brien. “Because the Elfin and the Shamoon attacks
occurred so close to each other, there has been speculation that the two
groups may be linked.”

More groups likely to use the WinRAR exploit

The Elfin group is not the only one looking to take advantage of
WinRAR. Though a patch for the CVE-2018-20250 vulnerability – originally
discovered by Checkpoint
–  has been issued, the software does not contain an auto-update
feature. FireEye is reporting multiple campaigns underway exploiting the
vulnerability. The security firm predicts more in the future due to the
software’s popularity and the fact many will likely be running older

“While this vulnerability has been fixed in the latest version of WinRAR (5.70),” FireEye Researcher Dileep Kumar Jallepalli explains in a blog post. “Because of the huge WinRAR customer-base, lack of auto-update feature and the ease of exploitation of this vulnerability, we believe this will be used by more threat actors in the upcoming days.”

IDG News Service

Read More:

Comments are closed.

Back to Top ↑