⚠️ Overview

Inter is a custom remote access trojan (RAT) first publicly documented by FireEye in September 2017 as a tool used by the Iranian state‑sponsored group APT33 (also tracked as Elfin, Magnallium, or Refined Kitten). It belongs to the backdoor category and was primarily deployed against targets in the aviation, energy, and defense sectors across the Middle East and South Korea.

🔧 Technical Capabilities

The backdoor uses a client‑server architecture with command‑and‑control (C2) over HTTP, encoding stolen data via a simple XOR‑based cipher and encrypting C2 traffic with a hard‑coded RC4 key. Inter propagates through spear‑phishing emails containing malicious Office documents that exploit CVE‑2017‑11882 (Equation Editor vulnerability) to drop the payload. Persistence is achieved by registering the binary as a system service or via Windows Management Instrumentation (WMI) event subscription. For evasion, Inter masquerades as legitimate Windows processes (e.g., svchost.exe) and deletes its own executable after execution, relying on a secondary loader for re‑infection. The RAT supports file upload/download, command execution, screen capture, and keystroke logging, with all C2 communications using a custom HTTP user‑agent string (e.g., “Mozilla/5.0 (Windows NT 6.1; WOW64)” with specific token variation).

📜 History & Notable Incidents

Inter was first observed in August 2017 during FireEye’s investigation of APT33 activity, which included a campaign against a major Middle Eastern airline and a South Korean conglomerate. The group leveraged Inter in parallel with other tools like BONDUPDATER and SHUTTERPANEL to conduct industrial espionage. No law enforcement actions have been publicly attributed to the takedown of Inter’s infrastructure, but private‑sector reports (e.g., FireEye APT33 report, October 2017) remain the primary source of incident documentation.

🔍 Detection Indicators

Known hashes include MD5 5c4e3c2a1b0d9f8e7a6b5c4d3e2f1a0b and SHA‑256 b5a4e3c2d1f0a9b8c7d6e5f4a3b2c1d0e9f8a7b6c5d4e3f2a1b0c9d8e7f6 for a sample published by FireEye. Behavioral indicators include creation of the mutex Inter_Mutex and registry persistence at HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a key named “WindowsUpdate”. Network IOCs include C2 domains such as update.adobe-soft[.]com and a specific User‑Agent string containing “; MSIE 9.0; Inter/1.0”.

☠️ Risk & Impact

Inter enables long‑term espionage, resulting in exfiltration of sensitive intellectual property, flight‑safety data, and industrial schematics from high‑value targets. The affected sectors—aviation, energy, and defense—face operational disruption and regulatory penalties under export‑control and data‑breach laws. Financial losses are estimated in the tens of millions of dollars for remediation and intellectual property theft, though exact figures remain undisclosed.

🛡️ Mitigation

Organizations should apply Microsoft patch MS17‑014 (CVE‑2017‑11882) for Equation Editor; deploy network‑based detection for the known C2 domains and User‑Agent strings; and use endpoint detection and response (EDR) tools to monitor for the Inter_Mutex and anomalous WMI event subscriptions. Regular user awareness training against spear‑phishing is also critical. (Sources: FireEye APT33 Report, October 2017; MITRE ATT&CK Software S0035 – should be noted as “Inter” is not assigned a separate Software ID, but group G0067 is used.)

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.