Iran (Elfin/APT33): APT33, and Iranian Espionage group, has been carrying out a new wave of attacks that has targeted organizations in the United State and the Middle East throughout February. The group worked to exploit the WinRaR vulnerability (CVE-2018-20250), which is a widely used archiving and compression utility. This utility is capable of making self-extracting archive files. The group has been sending targeted spear-phishing emails with WinRaR attachments within the emails that would allow them to compromise the targeted person. In the past, the group has sent emails to oil and gas executives. This most recent wave of attacks targeted chemical plants in Saudi Arabia, the same way they targeted oil and gas executives. The group has been active for years as an espionage group and has carried out multiple attacks in the past on chemical and oil industries, trying to gain access into their systems. In the past, the group has used their own personal toolkits which they created, but in this attack, they changed their tactic to use a previously-known vulnerability from 2018.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased