Iran APT Group Targets Foreign Embassies


Security researchers have uncovered a new cyber-espionage campaign against foreign diplomats in Iran, using malware linked to a well-known APT group.

Kaspersky Lab researcher Denis Legezo claimed the campaign was indicative of hackers in emerging regions using “homebrew” malware combined with publicly available tools.

In this case, they use an improved version of the Remexi backdoor first reported in 2015, enabling them to: harvest keystrokes, take screenshots, exfiltrate credentials, log-ins and browser history and execute remote commands.

Data is exfiltrated using the legitimate Microsoft Background Intelligent Transfer Service (BITS) application, saving the group time and money and complicating attribution efforts, Kaspersky Lab claimed.

“When we talk about likely state-sponsored cyber-espionage campaigns, people often imagine advanced operations with complex tools developed by experts. However, the people behind this spyware campaign look more like system administrators than sophisticated threat actors: they know how to code, but their campaign relies more on the creative use of tools that exist already, than on new, advanced features or elaborate architecture of the code,” Legezo argued.

“However, even relatively simple tools can cause significant damage so we urge organizations to protect their valuable information and systems against all level of threats, and to use threat intelligence to understand how the landscape is evolving,”

There’s no word yet on how the malware is being spread, although it has been linked to a Farsi-speaking APT group known as Chafer, whose activity goes as far back as 2014.

The group is known to focus on domestic targets, although going after foreign embassies within the Islamic Republic represents a new approach.

Legezo urged organizations to arm themselves with: corporate-grade security, including capabilities to detect targeted attacks, enhanced security awareness training for employees and up-to-date threat intelligence data.

Products You May Like

Articles You May Like

ConnectWise plugin flaw exploited in ransomware attacks on MSPs
India’s state gas company leaks millions of Aadhaar numbers
Australian PM Blames “Sophisticated State Actor” for Parliament Hack
Warning: Critical WinRAR Flaw Affects All Versions Released In Last 19 Years
Navigating the murky waters of Android banking malware

Leave a Reply

Your email address will not be published. Required fields are marked *