The well-known criminal collective APT33 who has been carefully targeting individuals and organizations in the U.S., Asia, and the Middle East, has taken special care to make tracking more difficult, say Trend Micro researchers.
APT33, who researchers believe is being supported by the government of Iran, has been using its own network of VPN nodes.
The command and control domains of APT33 are usually located on cloud-hosted proxies which transmit URL requests from the infected bots to backends at shared webservers. These webservers could be hosting thousands of legitimate domains. So, what happens next.
According to Trend Micro’s report, “the backends report bot data back to a data aggregator and bot control server that is on a dedicated IP address. The APT33 actors connect to these aggregators via a private VPN network with exit nodes that are changed frequently. The APT33 actors then issue commands to the bots and collect data from the bots using these VPN connections.”
It appears that with these latest attack mechanisms, the hacking collective has been primarily targeting victims in the oil and the aviation industries. Most of this year’s attacks, “signed” by APT33 have used spear-phishing to compromise various targets.
Victims of 2019’s malware campaigns carried out by the threat actors include a private U.S. company related to national security, individuals related to a university and a college in the U.S., an individual related to the U.S. military, and some other victims in the Middle East and Asia.
APT33’s VPN Network
Threat actors often use commercial VPN services in their operations but setting up private networks is also a thing. This can easily be accomplished by renting a couple of servers from international datacenters.
So, how were the researchers able to track this activity?
Though the connections from private VPN networks still come from seemingly unrelated IP addresses around the world, this kind of traffic is actually easier to track. Once we know that an exit node is mainly being used by a particular actor, we can have a high degree of confidence about the attribution of the connections that are made from the IP addresses of the exit node. For example, besides administering C&C servers from a private VPN exit node, an actor might also be doing reconnaissance of targets’ networks.
The researchers also believe that APT33 probably uses its VPN exit nodes exclusively. Trend Micro has been tracking some of the group’s private VPN exit nodes for more than a year, and as a result, some IP addresses related to the hackers’ operations have been uncovered.
In addition to the VPN layer, the hackers are also utilizing a bot controller layer, a command and control backend layer of servers used to manage malware botnets, and a proxy layer, or a collection of cloud proxy servers.