ioc[.]one - OSINT Cyber Threat Intelligence Database

Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.

Tags

country:	Saudi Arabia United States Of America
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Credentials - T1589.001 Group Policy Preferences - T1552.006 Javascript - T1059.007 Malicious Link - T1204.001 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Connection Proxy - T1090 Credential Dumping - T1003 Powershell - T1086 Scheduled Task - T1053 Scripting - T1064 Scripting

Show in Graph

Common Information

Type	Value
UUID	ff7be062-9e15-47fe-b135-8b60a710a461
Fingerprint	c5882dc80bf7a4c0
Analysis status	DONE
Considered CTI value	2
Text language
Published	March 27, 2019, midnight
Added to db	Sept. 26, 2022, 9:30 a.m.
Last updated	Nov. 17, 2024, 6:55 p.m.
Headline	Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
Title	Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
Detected Hints/Tags/Attributes	101/3/107

Source URLs

	Redirection	Url
Details	Source	https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage
Details	Source	https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage

URL Provider

Details	Provider	Source level domain
Details	broadcom.com	symantec-blogs.broadcom.com
Details	symantec.com	www.symantec.com

Attributes

Details	Type	#Events	Value
Details	CVE	31	cve-2018-20250
Details	Domain	339	system.net
Details	Domain	1	host-manager.hopto.org
Details	Domain	3	update-sec.com
Details	Domain	4	mynetwork.ddns.net
Details	Domain	5	mywinnetwork.ddns.net
Details	Domain	3	hyperservice.ddns.net
Details	Domain	41	ddns.net
Details	Domain	3	service-avant.com
Details	Domain	5	microsoftupdated.com
Details	Domain	3	securityupdated.com
Details	Domain	3	backupnet.ddns.net
Details	Domain	3	srvhost.servehttp.com
Details	Domain	3	servhost.hopto.org
Details	Domain	10	servehttp.com
Details	Domain	6	sytes.net
Details	Domain	5	myftp.org
Details	Domain	3	svcexplores.com
Details	Domain	8	myftp.biz
Details	Domain	4	remote-server.ddns.net
Details	Domain	6	redirectme.net
Details	Domain	3	remserver.ddns.net
Details	Domain	3	mynetwork.cf
Details	Domain	4	mypsh.ddns.net
Details	File	2	jobdetails.rar
Details	File	2	chfeeds.vb
Details	File	2	index.jpg
Details	File	2	%windir%\\system32\\cmd.exe
Details	File	249	schtasks.exe
Details	File	1	%username%\\appdata\\local\\microsoft\\feeds\\chfeeds.vb
Details	File	2	registry.ps1
Details	File	1	rar32.exe
Details	File	1	st-36-p4578.ps1
Details	File	119	smss.exe
Details	File	30	ftp.exe
Details	File	1	jsuobf.exe
Details	File	1	dwm32.exe
Details	File	9	generic.dic
Details	File	41	system.obj
Details	sha256	1	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f
Details	sha256	2	a67461a0c14fc1528ad83b9bd874f53b7616cfed99656442fb4d9cdd7d09e449
Details	sha256	1	f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5
Details	sha256	1	87e2cf4aa266212aa8cf1b1c98ae905c7bac40a6fc21b8e821ffe88cf9234586
Details	sha256	1	709df1bbd0a5b15e8f205b2854204e8caf63f78203e3b595e0e66c918ec23951
Details	sha256	1	a23c182349f17398076360b2cb72e81e5e23589351d3a6af59a27e1d552e1ec0
Details	sha256	1	0b3610524ff6f67c59281dbf4a24a6e8753b965c15742c8a98c11ad9171e783d
Details	sha256	1	d5262f1bc42d7d5d0ebedadd8ab90a88d562c7a90ff9b0aed1b3992ec073e2b0
Details	sha256	1	ae1d75a5f87421953372e79c081e4b0a929f65841ed5ea0d380b6289e4a6b565
Details	sha256	1	e999fdd6a0f5f8d1ca08cf2aef47f5ddc0ee75879c6f2c1ee23bc31fb0f26c70
Details	sha256	1	018360b869d8080cf5bcca1a09eb8251558378eb6479d8d89b8c80a8e2fa328c
Details	sha256	1	367e78852134ef488ecf6862e71f70a3b10653e642bda3df00dd012c4e130330
Details	sha256	1	ea5295868a6aef6aac9e117ef128e9de107817cc69e75f0b20648940724880f3
Details	sha256	1	6401abe9b6e90411dc48ffc863c40c9d9b073590a8014fe1b0e6c2ecab2f7e18
Details	sha256	1	bf9c589de55f7496ff14187b1b5e068bd104396c23418a18954db61450d21bab
Details	sha256	1	af41e9e058e0a5656f457ad4425a299481916b6cf5e443091c7a6b15ea5b3db3
Details	sha256	1	c7a2559f0e134cafbfc27781acc51217127a7739c67c40135be44f23b3f9d77b
Details	sha256	1	99c1228d15e9a7693d67c4cb173eaec61bdb3e3efdd41ee38b941e733c7104f8
Details	sha256	1	94526e2d1aca581121bd79a699a3bf5e4d91a4f285c8ef5ab2ab6e9e44783997
Details	sha256	1	dedfbc8acf1c7b49fb30af35eda5e23d3f7a202585a5efe82ea7c2a785a95f40
Details	IPv4	3	89.34.237.118
Details	IPv4	4	192.119.15.35
Details	IPv4	1	217.147.168.123
Details	IPv4	1	192.119.15.36
Details	IPv4	3	95.211.191.117
Details	IPv4	3	8.26.21.120
Details	IPv4	3	162.250.145.234
Details	IPv4	3	91.235.142.76
Details	IPv4	3	8.26.21.119
Details	IPv4	3	213.252.244.14
Details	IPv4	3	91.235.142.124
Details	IPv4	3	5.187.21.70
Details	IPv4	3	217.13.103.46
Details	IPv4	2	5.187.21.71
Details	IPv4	3	91.230.121.143
Details	IPv4	3	8.26.21.117
Details	IPv4	3	37.48.105.178
Details	IPv4	3	64.251.19.214
Details	IPv4	1	64.251.19.217
Details	IPv4	3	64.251.19.216
Details	IPv4	1	64.251.19.215
Details	IPv4	3	64.251.19.232
Details	IPv4	3	162.250.145.204
Details	IPv4	3	188.165.4.81
Details	IPv4	3	64.251.19.231
Details	IPv4	1	162.250.145.222
Details	IPv4	3	8.26.21.222
Details	IPv4	1	8.26.21.223
Details	IPv4	3	217.147.168.44
Details	IPv4	3	195.20.52.172
Details	IPv4	3	8.26.21.221
Details	IPv4	1	8.26.21.220
Details	IPv4	3	91.230.121.144
Details	IPv4	3	5.79.127.177
Details	IPv4	3	192.119.15.37
Details	IPv4	1	192.119.15.38
Details	IPv4	3	192.119.15.39
Details	IPv4	1	192.119.15.40
Details	IPv4	3	192.119.15.41
Details	IPv4	1	192.119.15.42
Details	Threat Actor Identifier - APT	181	APT33
Details	Url	1	http://mynetwork.ddns[dot].net:880
Details	Url	1	https://217.147.168[dot]46:8088/index.jpg
Details	Url	1	http://89.34.237[dot]118:808/rar32.exe
Details	Url	1	http://mynetwork.ddns[dot]net:880/st-36-p4578.ps1
Details	Url	1	http://192.119.15[dot]36:880/ftp.exe
Details	Url	1	ftp://89.34.237.118:2020
Details	Windows Registry Key	2	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB