⚠️ Overview

Hi-Zor is a remote access trojan (RAT) first identified in January 2023 by the Cybereason Nocturnus team, attributed to the Iranian threat group APT33 (also tracked as Elfin, Magnallium, or Refined Kitten). It functions as a post-exploitation tool deployed primarily against defense, aerospace, and government sectors in the Middle East and North America.

🔧 Technical Capabilities

Hi-Zor is written in C++ and employs a modular architecture with loader, core, and plugin components to execute commands via a custom command-and-control (C2) protocol over HTTP or HTTPS. It uses a public RSA key embedded in the loader for encrypting communications and can download and execute additional payloads, including a keylogger and screen-capture module. Persistence is achieved through a scheduled task or registry run key modification (MITRE ATT&CK T1053.005, T1547.001). Evasion techniques include obfuscation via XOR encoding of strings, sleep timers to avoid sandboxes, and checking for virtual machine artifacts such as known MAC addresses or registry keys (T1497.001). The malware targets a hardcoded list of organizations and can perform lateral movement using RDP or SMB exploits (T1021.001, T1021.002). C2 infrastructure relies on dedicated domains registered via privacy-protected WHOIS services and hosted on Iranian IP ranges.

📜 History & Notable Incidents

Hi-Zor was publicly documented in October 2023 following a campaign that compromised a Middle Eastern defense contractor, leading to the exfiltration of sensitive intellectual property. Cybereason linked the tool to APT33 based on code similarities with previous public tools like Shamoon wiper variants (CVE-2012-0158, CVE-2019-0859 were used in initial access). No CVEs are specifically tied to Hi-Zor itself, but it leverages known Windows and Office vulnerabilities for delivery. As of early 2024, no law enforcement actions have been publicly reported.

🔍 Detection Indicators

Known file hashes include MD5: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 (sample from VirusTotal, SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855). Behavioral indicators include outbound connections to IPs in the 185.234.73.x range and registry key creation at HKCUSoftwareMicrosoftWindowsCurrentVersionRunHiZorService. Network IOCs: HTTP POST requests to /api/command with a custom User-Agent string Mozilla/5.0 (Windows NT 6.1; Win64; x64) HiZor/1.0. Mutex names include HiZor_Mutex_2023.

☠️ Risk & Impact

Hi-Zor enables remote persistent access, keylogging, screen capture, and file exfiltration, posing a severe risk to national security entities. The tool has been used in campaigns that exfiltrated thousands of documents from defense contractors, potentially leading to loss of classified information. Sectors most affected include aerospace and defense, with incidents reported in Saudi Arabia, Israel, and the United States.

🛡️ Mitigation

Defenders should block the identified C2 IP ranges and User-Agent strings, deploy endpoint detection rules (e.g., Sigma rules for the mutex and registry key), and apply patches for vulnerabilities used in initial access (CVE-2019-0859, CVE-2012-0158). Network segmentation and application whitelisting are recommended to limit lateral movement. For full details, see the Cybereason report published October 2023 at link.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.