Show vulnerabilities with patch / with exploit
25 May 2020

Air transport and government agencies in Kuwait and Saudi Arabia targeted by Iranian-linked Chafer APT


Air transport and government agencies in Kuwait and Saudi Arabia targeted by Iranian-linked Chafer APT

A hacker group, widely believed to have ties to Iranian government, has targeted air transport and government agencies in Kuwait and Saudi Arabia with cyber espionage campaigns going back to 2018, according to a recent research carried out by Bitdefender experts.

Bitdefender said the espionage operations were conducted by Chafer APT (aka APT39 or Remix Kitten), a threat actor known for its attacks on telecommunication and travel industries in the Middle East to collect personal information that serves the Iran's geopolitical interests.

In one instance, the operation lasted more than one and a half years and involved the use of the various tools for persistence and lateral movement, as well as “living off the land” tools and custom-built tools making it hard to attribute the attack to specific threat actors.

“Some traces indicate that the goal of the attack was data exploration and exfiltration (on some of the victim’s tools such as Navicat, Winscp, found in an unusual location, namely “%WINDOWS%\ime\en-us-ime”, or SmartFtpPasswordDecryptor were present on their systems),” the researchers said.

According to Bitdefender, the threat actor likely used malicious documents with shellcodes delivered via spear phishing emails to compromise victims’ systems.

Once the victims were compromised, attackers used reconnaissance tools for network scanning (“xnet. exe”, “shareo.exe”) and credential gathering (as “mnl.exe” or “mimi32.exe”), or tools such as CrackMapExec (for users’ enumeration, share listing, credentials harvesting and so on) to move laterally through the network. The attackers then installed a modified Plink (wehsvc.exe) module and a backdoor (imjpuexa.exe).

“During our investigation, on some of the compromised stations we observed some unusual behavior performed under a certain user account, leading us to believe the attackers managed to create a user account on the victims’ machine and performed several malicious actions inside the network, using that account,” the researchers said.

While intelligence-gathering campaigns against entities in Kuwait and Saudi Arabia bear multiple similarities and share some common stages, attacks appear more focused and sophisticated on victims from Kuwait, the researchers noted.

The attack against a Saudi Arabian entity involved the use of social engineering to trick the victim into running a remote administration tool (RAT).

“The case investigated in Saudi Arabia was not as elaborate, either because the attackers did not manage to further exploit the victim, or because the reconnaissance revealed no information of interest,” the report reads.

“While this attack was not as extensive as the one in Kuwait, some forensic evidence suggests that the same attackers might have orchestrated it. Despite the evidence for network discovery, we were not able to find any traces for lateral movement, most probably because threat actors were not able to find any vulnerable machines.”

Back to the list

Latest Posts

Weekly security roundup: July 13, 2020

Weekly security roundup: July 13, 2020

A short overview of last week's top stories in the world of cyber security.
13 July 2020
Hackers are attempting to exploit recent Citrix vulnerabilities

Hackers are attempting to exploit recent Citrix vulnerabilities

Citrix downplayed the impact of the vulnerabilities and said they are less likely to be exploited compared to CVE-2019-19781.
13 July 2020
Zoom patches critical bug affecting Zoom client for Windows

Zoom patches critical bug affecting Zoom client for Windows

The company has also released a planned update for Phone and Web users, which brings AES-256 bit encryption.
13 July 2020