New Iranian APT identified by FireEye and Kaspersky

News by Tom Reeve

Iranian cyber-threat group linked to Chafer appears to be ramping up activity against embassies and the travel and telecoms industries.

APT39 is leveraging home-grown malware and native apps (pic: MicroStockHub/GettyImages)

Reports from Kaspersky Lab and FireEye point to activity by a new Iranian advanced persistent threat dubbed APT39 which could be a spin-off of the Iranian threat group Chafer.

Monitoring and tracking of individuals for surveillance purposes appears to be the focus of APT39 which has been observed by FireEye attacking organisations in the travel and telecoms industries in an attempt to harvest detailed personal data on individuals of interest.

FireEye identified APT39 as an Iranian cyber-espionage group. Its focus on stealing personal information sets it apart from other Iranian threat groups which have been linked to influence operations, disruptive attacks and other threats, FireEye said.

FireEye said that the group appears to be targeting the telecoms and travel industries "to collect personal information on targets of interest and customer data for the purposes of surveillance to facilitate future operations".

APT39 appears to be closely aligned with a group known as ‘Chafer’, identified by Symantec in 2015. At the time, Symantec identified Chafer and another group, Cadelle, using backdoors to target political activists and dissidents mostly inside Iran but also in countries such as the US, Germany, the UK and Holland.

Meanwhile, Kaspersky Lab found the same group is targeting diplomatic missions in Iran, based on the IP addresses of the victims. It said that the focus on embassies appeared to be a departure for Chafer from its usual targets, but similarities in operations including the use of an updated Remexi backdoor has allowed Kaspersky Lab to link the two groups with "medium confidence".

Kaspersky Lab described Remexi as home-made spyware which facilitates remote administration of victims’ machines. Remexi’s capabilities include remote command execution and taking and exporting screenshots, browser data, login data and keystrokes.

The group uses native Windows tools to perform various functions, and exports data from the victims’ machines using the Microsoft Background Intelligent Transfer Service (BITS), used by Windows to enable Windows updates in the background. Other Windows utilities it has been observed using are extract.exe and taskkill.exe. Persistence is achieved using scheduled tasks and the system registry.

Kaspersky Lab noted that this is part of a larger trend for attackers to leverage native applications to simplify malware and complicate attribution.

Denis Legezo, security researcher at Kaspersky Lab, said: "When we talk about likely state-sponsored cyber-espionage campaigns, people often imagine advanced operations with complex tools developed by experts.

"However, the people behind this spyware campaign look more like system administrators than sophisticated threat actors: they know how to code, but their campaign relies more on the creative use of tools that exist already, than on new, advanced features or elaborate architecture of the code."

Remexi has been attributed to the Chafer APT group by Symantec based on the fact that one of the human-readable encryption keys is ‘salamati’ which means health in Farsi. A Windows user name was also identified in the code – "Mohamadreza New" or Mohammad Reza – a name that crops up twice on the FBI’s list of wanted cyber-criminals.

FireEye said that APT39 differs from Chafer in its use of the Seaweed and Cachemoney backdoors. Links between APT39 and APT34 are indicated by the use of the Powbat backdoor, but they are also judged to be separate groups because the versions of Powbat they use are distinct from each other.

FireEye speculated that at least at some level the two groups work together or share resources.

The attack lifecycle, according to FireEye, typically comprises a spear-phishing email that links to a look-alike website that infects the victim with Powbat.

The attackers then leverage their backdoor to run openly available tools such as Mimikatz and Ncrack or native applications Windows Credential Editor and ProcDump to escalate privileges. It then uses a range of tools to reconnoiter the victim’s computer and exfiltrate data.

FireEye’s report said: "APT39's activity showcases Iran's potential global operational reach and how it uses cyber operations as a low-cost and effective tool to facilitate the collection of key data on perceived national security threats and gain advantages against regional and global rivals." 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews