Over the course of the last year, Recorded Future research has demonstrated that Iran-nexus groups, possibly including APT33 (also called Elfin), have been prolific in amassing operational network infrastructure throughout 2019. Additionally, in November 2019, Microsoft disclosed that APT33 had shifted focus from targeting IT networks to physical control systems used in electric utilities, manufacturing, and oil refineries. We also documented state-sponsored Iran-nexus groups making heavy use of freely available commodity malware for active network intrusions. These tools are usually intended to be used for defensive red-teaming exercises. One such tool used by several Iran-nexus groups is PupyRAT.
Using Recorded Future remote access trojan (RAT) controller detections and network traffic analysis techniques, Insikt Group identified a PupyRAT command and control (C2) server communicating with a mail server for a European energy sector organization from late November 2019 until at least January 5, 2020.
Source: Recorded Future