Quote:Security researchers are warning oil and aviation industry organizations to be on their guard after spotting a notorious Iranian APT group using private VPNs to keep its activity hidden.
APT33 has been linked to the infamous Shamoon destructive malware which knocked out tens of thousands of PCs at Saudi Aramco in 2012 and has been deployed across Europe and the Middle East since.
Now Trend Micro has observed the group using a dozen command and control (C&C) servers in a highly obfuscated attack targeting a narrow group of organizations in the US, Asia and Middle East.
“The C&C domains are usually hosted on cloud hosted proxies. These proxies relay URL requests from the infected bots to backends at shared webservers that may host thousands of legitimate domains,” said Trend Micro.
“The backends report bot data back to a data aggregator and bot control server that is on a dedicated IP address. The APT33 actors connect to these aggregators via a private VPN network with exit nodes that are changed frequently. The APT33 actors then issue commands to the bots and collect data from the bots using these VPN connections.”
Read more: https://www.infosecurity-magazine.com/ne...ecret-new/
![[-]](https://www.geeks.fyi/images/collapse.png)
