Cybercriminals scanning the vulnerable websites of a specific target, later used for either command and control server or malware attacks if the website will be compromised successfully.
so far attackers compromised the wide range of targets including, governments along with organizations in the research, chemical, engineering, manufacturing, consulting, finance, telecoms, and several other sectors.
Aka APT33 group mainly focused on Saudi Arabia, with the 42% of attack since 2016 and its compromised 18 organization in the U.S alone over the past three years.
In this case, Elfin targeted organization including engineering, chemical, research, energy consultancy, finance, IT, and healthcare sectors in the U.S alone.
Exploiting the Vulnerabilities
In this case, successfully exploited this vulnerability allow attackers
Attackers send spear phishing emails to the target and attempt to exploit this WinRAR vulnerability.
Open-source hacking Tools & Custom Malware
During the attack, Elfin Use the variety of open source hacking tools, custom malware, commodity malware to compromise the different target.
In this custom malware family includes Notestuk (Backdoor.Notestuk
Elfin APT also makes frequent use of a number of publicly available hacking tools, including:
- LaZagne (SecurityRisk.LaZagne): A login/password retrieval tool
- Mimikatz (Hacktool.Mimikatz): Tool designed to steal credentials
Gpppassword: Tool used to obtain and decrypt Group Policy Preferences (GPP) passwords
- SniffPass (SniffPass): Tool designed to steal passwords by sniffing network traffic
Also, many commodity malware tools were used for these attacks and