Meeting POWERBAND: The APT33 .Net POWERTON variant

// Introduction

Since the Islamic revolution, US and regional rivals have put continuos effort in containing and isolating Iran. Implementing a foreign policy generally addressed as “strategic loneliness”, Iran’s defense strategy has been designed to compensate for the country’s low level of conventional capabilities with its activity in asymmetric warfare, and especially in the cyber domain.

Indeed, the implementation of the ‘maximum pressure strategy’ by the US has increased the tensions between Washington and Teheran, leading to an all-time low in the history of their relations. The combination of international and economic pressure and of asymmetric warfare is making room for further escalation in the area.

Advanced Persistent Threat 33 (APT33) is a hacker group supporting the Iranian government since at least 2013. The group has also been called Elfin, Refined Kitten, Magnallium, and Holmium.

APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.
In recent activity have been observing the APT33 hackers shifting their targets from IT networks toward critical infrastructures, leading them to wonder if they are considering cyber attacks that would cause serious disruptions.

If so, it wouldn’t be the first time they’ve caused trouble, Iranian hackers have carried out some of the worst acts of cyber sabotage in recent years, taking out computer networks in the Middle East and at times impacting the US. In particular, this post will focus on the analysis of a new implanter belonging to R.A.T. (Remote Administration Tool) family that we link with mid to high confidence to them.

// Initial Fingerprint

The malware is a .Net highly obfuscated executable (sha256: 3f5e63ac398f0207566387670741c3b620912fc3ba8539e9d1d7106d07d26422) currently still not reported in the “APT” threat landscape nor linked to a specific actor.

Indeed, the use of the .Net environment in the research about malware and tools related to this actor represents today an update of the TTPs associated with it as, at the best of our knowledge, it’s never been reported before.

The variant under analysis shares similarity with well known APT33 late-stage backdoor which is referred with  the name of POWERTON (sha256: f45a8844c575e3fcc1f7a05dadfdfc293a53d0142f1a9b7d76a8f3aed5b5b0a6).  

We internally dubbed this new implant under the name of POWERBAND for the composed path of HTTPs requests during its communication to command and control server.

It starts by creating a structure that represents the victim’s state throughout the execution of the program, storing the current directory, the range of values for the Sleep time and for the hybernation phase.

Furthermore, it creates a unique identifier (called BKey) for each infected victim.

Bkey is composed by the MD5 of the MachineName, UserDomainName and UserName, by taking in uppercase only the first 24 characters of the hash. Main usage of this value is to encrypt the machine’s fingerprint information as:

  1. machine name
  2. username
  3. Bkey itself

and to encrypt and decrypt all the data exchanged with the CnC communications.

// C2 interactions

The C2 server used by the implanter is : dailystudy[.]org and it contains a specific path for each victim, using standard paths that are differentiated by the BKey received.

When the implanter is ready to receive a command, it sends a POST request to the C2 containing the information encrypted in the previous fingerprinting part.

Each POST request sended is structured with the following HEADER fields :

User-Agent : Mozilla/5.0 (compatible; MSIE 10.0; Windows NT) 

Method : POST

Content-Type : application/json

The C2 HTTPS response contains a set of commands separated by “\n”, encrypted with the BKey and encoded in Base64.

Successively, the implanter recognize each command received, performing the operations and sending a POST requests containing the output of the commands.

Each request is differentiated depending on the command requested, changing the server directory paths :

  • dailystudy[.]org/album/PBKey/ : is used to send the result ot the C2 of an executed command;
  • dailystudy[.]org/track/BKey/ : is used to download files or to send screenshot images of the victim desktop;
  • dailystudy[.]org/music/Bkey/band : is used to upload files to the C2;

An example of the screenshot desktop command: 

// Persistence

To mantain the persistence in the victim system, the implanter receives a specific command which add as value the executable path implanter in the

SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run

registry key, with the possibility of injecting it into other users of the victim system, removing it or checking if it’s present.

// Conclusions

Concluding we can see with good certainty that this implanter is attributable to APT33, having drawn many similarities by making a comparative analysis with a sample of POWERTON already attributed to the same group. 

Both the implants are structured in the same way and using the same logic for the C2 interactions, encryption, data communications and the methodology on how commands are received, parsed and processed.

Below are some examples of similarities found:

Similarities in the encryptor generation:

Similarities about commands handling:

// Indicators of Compromise

Domain name : dailystudy[.]org

IP Address: 91[.]134[.]187[.]27 

SHA256: 3f5e63ac398f0207566387670741c3b620912fc3ba8539e9d1d7106d07d26422

Further information about this campaign, the full set of indicators of compromise and detection rules are available consulting our cyber threat intelligence portal.