A hacker group, widely believed to have ties to Iranian government, has targeted air transport and government agencies in Kuwait and Saudi Arabia with cyber espionage campaigns going back to 2018, according to a recent research carried out by Bitdefender experts.

Bitdefender said the espionage operations were conducted by Chafer APT (aka APT39 or Remix Kitten), a threat actor known for its attacks on telecommunication and travel industries in the Middle East to collect personal information that serves the Iran's geopolitical interests.

In one instance, the operation lasted more than one and a half years and involved the use of the various tools for persistence and lateral movement, as well as “living off the land” tools and custom-built tools making it hard to attribute the attack to specific threat actors.

“Some traces indicate that the goal of the attack was data exploration and exfiltration (on some of the victim’s tools such as Navicat, Winscp, found in an unusual location, namely “%WINDOWS%\ime\en-us-ime”, or SmartFtpPasswordDecryptor were present on their systems),” the researchers said.

According to Bitdefender, the threat actor likely used malicious documents with shellcodes delivered via spear phishing emails to compromise victims’ systems.

Once the victims were compromised, attackers used reconnaissance tools for network scanning (“xnet. exe”, “shareo.exe”) and credential gathering (as “mnl.exe” or “mimi32.exe”), or tools such as CrackMapExec (for users’ enumeration, share listing, credentials harvesting and so on) to move laterally through the network. The attackers then installed a modified Plink (wehsvc.exe) module and a backdoor (imjpuexa.exe).

“During our investigation, on some of the compromised stations we observed some unusual behavior performed under a certain user account, leading us to believe the attackers managed to create a user account on the victims’ machine and performed several malicious actions inside the network, using that account,” the researchers said.

While intelligence-gathering campaigns against entities in Kuwait and Saudi Arabia bear multiple similarities and share some common stages, attacks appear more focused and sophisticated on victims from Kuwait, the researchers noted.

The attack against a Saudi Arabian entity involved the use of social engineering to trick the victim into running a remote administration tool (RAT).

“The case investigated in Saudi Arabia was not as elaborate, either because the attackers did not manage to further exploit the victim, or because the reconnaissance revealed no information of interest,” the report reads.

“While this attack was not as extensive as the one in Kuwait, some forensic evidence suggests that the same attackers might have orchestrated it. Despite the evidence for network discovery, we were not able to find any traces for lateral movement, most probably because threat actors were not able to find any vulnerable machines.”