An Iran-linked APT known as Chafer has been spotted targeting various entities based in Iran with an enhanced version of a custom malware that takes a very unique approach to communication by using the Microsoft Background Intelligent Transfer Service (BITS) mechanism over HTTP.
Meanwhile the victimology suggests the threat group is waging a cyber-espionage operation against diplomats there.
Over the course of the autumn, analysts at Kaspersky Lab observed attackers targeting embassies using an improved version of the Remexi malware, which Chafer has used in the past. It’s a spyware, capable of exfiltrating keystrokes, screenshots and browser-related data like cookies and history.
Remexi developers used the C programming language and the GCC compiler on Windows in the MinGW environment to create the latest version of the malware (which has a March 2018 time stamp). The main notable aspect of the code is that it consists of several working threads dedicated to different tasks that it deploys in its working directory, according to Kaspersky.
These include command-and-control (C2) command parsing, data exfiltration, launching victim activity logging in a separate module and seven threads for various espionage and auxiliary functions.
It’s also worth noting how these threads share information.
“One of the malware threads checks in an infinite loop if the mouse button was pressed and then also increments the integer iterator infinitely,” Kaspersky analysts said, in a posting this week. “If the mouse-hooking function registers a button hit, it lets the screenshotting thread know about it through a global variable. After that, it checks if the iterator divided by (captureScreenTimeOut/captureActiveWindowTimeOut) has a remainder of 0. In that case, it takes a screenshot.”
Legit Microsoft Tools in the Mix
A notable aspect of the improved trojan is the fact that the Remexi developers are relying on legitimate Microsoft utilities. For instance, for both C2 communication and exfiltration, Remexi uses the aforementioned BITS mechanism over HTTP.
“One of the things we keep in mind when we attribute a campaign to one or another actor is malefactors’ tactics, techniques and procedures (TTP),” said Denis Legezo, senior security researcher, Global Research and Analysis Team (GReAT) at Kaspersky Lab. “Some of them develop all the needed tools from scratch, and others extensively use third-party applications alongside the code by their own developers. Chafer now is among the latter ones. Data exfiltration using BITS/bitsadmin.exe isn’t typical at all.”
He added, “In terms of protective measures, such communication mechanism means that the system administrators have to check BITS inbound/outbound traffic to external network resources in their environments.”
This “greater reliance on freely available software tools, also known as ‘living off the land'” offers threat groups a key advantage, according to previous Chafer analysis from Symantec: “By limiting their use of malware, groups such as Chafer hope to be less conspicuous on a victim’s network and, if discovered, make their attack more difficult to attribute.”
Remexi also employs XOR encryption with a hardcoded key for its configuration and RC4 with a predefined password for encrypting the victim’s data. There are unique keys used by different samples, including the use of the word “salamati,” which means “health” in Farsi.
How Remexi is arriving on victims’ desktops remains a bit of a mystery.
“So far, our telemetry hasn’t provided any concrete evidence that shows us how the Remexi malware spread,” analysts said. “However, we think it’s worth mentioning that for one victim we found a correlation between the execution of Remexi´s main module and the execution of an AutoIt script compiled as PE, which we believe may have dropped the malware.”
That said, in earlier attacks from 2015, Symantec found evidence that Chafer had been compromising targeted organizations by attacking their web servers, likely through SQL injection attacks, in order to drop malware onto them. In 2017, the group added a new infection method to its toolkit, using malicious documents which are likely circulated using spear-phishing emails sent to individuals working in targeted organizations.
As for the victimology, Kaspersky speculates that the campaign could a domestic affair. In addition to the aforementioned “salamati” being used as a Farsi-language human-readable encryption key, the vast majority of the users targeted by this new variant of Remexi appear to have Iranian IP addresses, including those tied to foreign diplomatic entities based in the country.
“They were after local hosts for years, but foreign diplomatic entities are something new for them from our point of view,” Legezo told Threatpost. “We saw several emerging actors moving from domestic campaigns to international ones. Such development seems quite logical: they got experience, toolsets became more mature and the set of tasks also broadens.”
Also, “among the artifacts related to malware authors, we found in the binaries a .pdb path containing the Windows user name ‘Mohamadreza New,'” the analysts noted. “Interestingly, the FBI website for wanted cybercriminals includes two Iranians called Mohammad Reza, although this could be a common name or even a false flag.”
This victim set could signal a return to Chafer’s roots. According to the prior analysis from Symantec, foreign diplomats inside Iran have been a target for Chafer in the past. But the APT, which has been around since at least 2014, switched up its tactics in 2017 to expand beyond Iran to “hit organizations in Israel, Jordan, the United Arab Emirates, Saudi Arabia and Turkey.” Outside of the Middle East, Symantec also found evidence of attacks against one African airline and attempts to compromise an international travel reservations firm.
Sectors targeted included airlines; aircraft services; software and IT services companies serving the air and sea transport sectors; telecom services; payroll services; engineering consultancies; and document management software.
“So far, the campaign’s TTPs aren’t state of the art, but a trend among emerging actors is quite visible: they are becoming more mature and broadening their set of targets,” Legezo told Threatpost. “Speaking about targeted malware, one shouldn’t consider anyone as an amateur. Maybe we don’t see ‘advanced’ (from ‘APT’ abbreviation) techniques used in every campaign, but ‘persistent’ is here for sure anytime. Therefore, it’s important to think about protective measures, like security software, a remediation plan and threat intelligence in advance.”
This post was updated at 2:35 p.m. ET on Feb. 4 to reflect additional researcher insights.