I would avoid associating any of these tools and domains to #APT33 until further proof is found

My gut feeling is that Recorded Future made a wrong pivot and fell into a rabbit hole of unrelated infrastructure (i.e. not #APT33 ). The use of commodity RATs not known to be used by the group and abnormally high number of C2 domains supports this claim https://t.co/CeVTJCF00z

Report: "Iranian Cyber-activities in the Context of Regional Rivalries and International Tensions" by @ETH https://t.co/dMiJoErEnt

By pivoting off the leaked IP addresses in the #oilrig dump we found connections to multiple publicly published and unpublished campaigns. The following domains were all hosted on these IPs, or on ones related to them.

A Guide to Cyber Attribution #FOR578 PDF

a file named "Timelines - ECRL.docx" (likely referring to the Malaysian "East Coast Rail Link" project), uses template injection to load a macro from 167.99.72\.82. The macro drops an unknown dll backdoor and side-loads it via MsMpEng.exe. Than it beacons to C2 at 195.12.50\.168

A VBS file within a RAR titled "President Sisi and Mahmoud Abbas Meeting (MoM)" targeted someone likely in the Palestinian Authority. An article from The Lebanese outlet Almodon (first picture) was edited and presented as a decoy (second picture) C2: windows-updates[.]co:2083

@360TIC Also these: data-microsoft\.services asimov-win-microsoft\.services iecvlist-microsoft\.live onecs-live\.services

@360TIC Further #DarkHydrus indicators: 0ffice365\.life 0ffice365\.services 0nedrive\.agency akadns\.live akamai\.agency akamaiedge\.live akamaiedge\.services akamaized\.live akdns\.live azureedge\.today cloudfronts\.services corewindows\.agency edgekey\.live hotmai1\.com

Might be a good idea not to use @HybridAnalysis's YARA search tool 🧐

Report: Iranian threat group #MuddyWater's Operations in Lebanon and Oman https://t.co/yimW2TFqvp

@James_inthe_box @FewAtoms @Voulnet @eyalsela This is quite a big infrastructure in an active campaign - seems to be a #CharmingKitten infrastructure but there is also overlap with #APT33.

(I was told IsSpace was shared, so its use does not necessarily connects the indictment to #DragonOK

[1] https://t.co/RWNJMsMx0L [2] https://t.co/Wn9iY4O8hb , https://t.co/VPh3jYA7fD [3] https://t.co/J9d7PKv6kF [4] https://t.co/8Gi1LbVpTC , https://t.co/RddniXqplR [5] https://t.co/XSzXZsQ7Zu [6]

4. #DragonOK: based on the use of IsSpace malware (though maybe others had access to it?) [6]

3. The latter domain was registered in 2012 by kathycat88@gmail.com, which shows up in a post by Alienvault describing the use of CVE-2012-4969, a zero day at the time [5].

2. #Black_Vine: host capstoneturbine.cechire\.com that is mentioned in the indictment shows up in a Symantec report from 2015 [3]. This host, as well as capstonetrubine\.com are also mentioned in the 2017 indictment of Yu Pingan (who provided/distributed Sakula malware)[4].

Interesting to see the mapping of the indictment of the Chinese intelligence officers [1] to APT groups and tools: 1. #Winnti: Gao Hong Ku, AKA mer4en7y shows up in a 2013 Kaspersky report [2]

A PDF titled "Commander Mohammed Dahlan and The Egyptian Intelligence Meeting (MoM) Leakage" was used to infect someone in the Palestinian Authority (based on VT upload source). It contained a link to a mobile RAT hosted in Google Drive. We've detected a dozen more samples.

Verifying myself: I am eyalsela10 on https://t.co/dQ4q0Wgauw. jjZ5ioIEq8MlEOaZ0JlFzoiJMb4o0mTcdkB- /