APT33 leveraged now-disrupted Microsoft Azure subscriptions to commence password spraying attacks against the targeted entities, while using compromised education sector accounts to obtain additional infrastructure that was then utilized for succeeding malware intrusions against the government, space, and defense industries.
Attacks involved the malicious 'ss-otr' plugin installer, which had a signature from Polish firm Interrex and enabled retrieval of an Interrex certificate-signed DarkGate payload or PowerShell scripts from a controlled server.
Intrusions commence lures to install HZ RAT for macOS as an OpenVPN Connect-spoofing installer, which when executed triggers shell command execution, file writing to disk, file delivery to the command-and-control server, and device availability monitoring.
With the ability to deploy a remote shell allowing remote access to infected devices and memory modification, sedexp has been used by threat actors to facilitate the obfuscation of modified Apache configuration files, web shells, and the udev rule.
Attacks commenced with the download of malicious ZIP files purporting to be pirated movies that contain an LNK file, which links with a memory-only JavaScript dropper-hosting content delivery network to execute PEAKLIGHT, according to an analysis from Mandiant.