Two newly discovered Iran-based espionage groups have been spotted launching information-stealing cyber raids on local dissidents and airlines and telecoms firms in the Middle East.
Symantec’s Security Response Team explained in a blog post that ‘Cadelle’ and ‘Chafer’ go back at least as far as July 2014, with C&C infrastructure registered even earlier—in 2011.
The groups, which number between 5-10 operatives in each, use custom backdoors to help them grab the targeted information.
Cadelle employs ‘Backdoor.Cadelspy’ while Chafer uses ‘Backdoor.Remexi’ and ‘Backdoor.Remexi.B’.
“It’s unclear how Cadelle infects its targets with Backdoor.Cadelspy,” Symantec wrote.
“However, Chafer has been observed compromising web servers, likely through SQL injection attacks, to drop Backdoor.Remexi onto victims’ computers. Chafer then uses Remexi to gather user names and passwords to help it spread further across the network.”
Although the two teams don’t share C&C infrastructure, they appear to be focused on similar targets – with several machines experiencing infections by Cadelspy and Remexi within a small time frame.
“If Cadelle and Chafer are not directly linked, then they may be separately working for a single entity,” Symantec argued. “Their victim profile may be of interest to a nation state.”
A large number of Cadelle targets use anonymous proxies to get online, meaning they could be activists or others trying to keep their activities hidden from the government.
Customers of mainly Iranian ISPs are targeted, although some organizations from outside the country have been hit too, including airlines and telcos in places like Saudi Arabia and Afghanistan.
“The nature of the victims suggests that Cadelle and Chafer are primarily interested in tracking individuals in terms of their movements and communications,” explained Symantec. “Compromising regional telcos and airlines can help the attackers achieve this aim.”
The groups are thought to be Iranian by virtue of working primarily during Iran’s business week and at times of the day that align with the country’s time zone.
Malware file strings also include dates written in the Solar Hijri calendar, which is used in Iran and Afghanistan.
Cadelspy is the more fully functioned backdoor, featuring keylogging, audio recording, screenshot and webcam capture and clipboard gathering capabilities, Symantec said.
The vendor claimed the groups are still active today and warned users to keep security software up-to-date, treat unsolicited emails with suspicion and ensure that key software on PCs and servers is regularly patched.
Photo © Aquir