On 27th March 2018, Symantec reported that an Iran-linked cyber espionage group that has been targeting the critical infrastructure, energy and the military sectors in Saudi Arabia and the United States two years ago still continues to target the organizations in both the nations. APT33 which Symantec calls as Elfin is the cyber-espionage group that has been active since the late 2015 has targeted a wide range of organizations including the research, government, engineering, chemical, consulting, manufacturing, finance, consulting and telecommunications in the Middle East and the other parts of the world.
Elfin’s attacks were under the monitor of Symantec since the beginning of 2016 and found out that the espionage group has launched a heavily targeted campaign against the multiple organizations with the 42% of the latest attacks observed against Saudi Arabia and 34% against the United States. Elfin has targeted 18 American organizations in the above mentioned sectors in the past three years that includes a total of 500 Fortune companies.
The APT33 group or the Elfin espionage group has been exploiting a recently disclosed but critical vulnerability, CVE-2018-20250 in the extensively used WinRAR file compression application that permits the attackers extract the malicious files silently from an archive file that is harmless to a Windows Start-up folder that finally allows them to execute the arbitrary code on the targeted system. The vulnerability was already patched by the WinRAR team but was found to be actively exploited by the various hacking groups and the individual hackers soon after the details and the proof-of-concept (PoC) exploit code went viral.
In the APT33 campaign, the WinRAR exploit was used against a targeted organization in the Saudi Arabia chemical sector, where two of the users received a file through a spear-phishing email that had attempted to exploit the WinRAR vulnerability.