Cybersecurity researchers from Bitdefender published a detailed report on an Iranian cyber espionage campaign directed against critical infrastructures in Kuwait and Saudi Arabia.
The Chafer APT group has distributed data stealer malware since at least mid-2014, it was focused on surveillance operations and the tracking of individuals.
The APT group targets telecommunication and travel industries in the Middle East to gather intelligence on Iran’s geopolitical interests.
“Victims of the analyzed campaigns fit into the pattern preferred by this actor, such as air transport and government sectors in the Middle East,” reads the researcher paper published by the experts.
“Some traces indicate that the goal of the attack was data exploration and exfiltration (on some of the victim’s tools such as Navicat, Winscp, found in an unusual location, namely “%WINDOWS%\ime\en-us-ime”, or
SmartFtpPasswordDecryptor were present on their systems).”
The attackers used several tools, including ‘living off the land’ tools, making it hard to attribute the attack to specific threat actors, as well as a custom-built backdoor.
The attacks against entities in Kuwait and Saudi Arabia have multiple similarities and shares some common stages, but experts noticed that the attacks seem more focused and sophisticated on victims from Kuwait.
Chafer APT launched spear-phishing attacks, the messages were used to deliver multiple backdoors that allowed them to gain a foothold, elevate their privileges, conduct internal reconnaissance, and establish persistence in the victim environment.
“Once the victims were compromised, attackers started to bring reconnaissance tools for network scanning (“xnet.exe”, “shareo.exe”) and credential gathering (as “mnl.exe” or “mimi32.exe”) or tools with multiple functionalities, such as CrackMapExec (for users’ enumeration, share listing, credentials harvesting and so on).” continues the report.
“During our investigation, on some of the compromised stations we observed some unusual behavior performed under a certain user account, leading us to believe the attackers managed to create a user account on the victims’ machine and performed several malicious actions inside the network, using that account.”
The attacks against entities in Kuwait appeared more sophisticated, attackers were creating a user account on the compromised machines and performed malicious actions inside the network, including credential harvesting with Mimikatz and lateral movements using multiple hacking tools from their arsenal.
Most of the hacking activity occurs on Friday and Saturday, coinciding with the weekend in the Middle East.
The campaign against a Saudi Arabian entity was characterized by the large use of social engineering attacks to trick the victim into executing a remote administration tool (RAT), The RAT employed in the attacks shares similarities with those used against Kuwait and Turkey.
“The case investigated in Saudi Arabia was not as elaborate, either because the attackers did not manage to further exploit the victim, or because the reconnaissance revealed no information of interest.” continues the report.
“While this attack was not as extensive as the one in Kuwait, some forensic evidence suggests that the same attackers might have orchestrated it. Despite the evidence for network discovery, we were not able to find any traces for lateral movement, most probably because threat actors were not able to find any vulnerable machines.”
The campaigns against Kuwait and Saudi Arabia demonstrate the intense cyberespionage activity carried out by Iran-linked APT groups in the Middle East. Anyway we cannot underestimate that these hacking groups are extending their range of action targeting government and organizations worldwide.
(SecurityAffairs – Chafer APT, hacking)