Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia

Bitdefender
May 22, 2020

Whitepaper Details

Overview

Chafer APT is a threat group with an apparent Iranian link. It is known to be active since 2014, focusing on cyber espionage campaigns. Bitdefender has spotted the group targeting critical infrastructure from the Middle East, presumably for intelligence gathering.

Bitdefender researchers have found attacks conducted by this actor in the Middle East region, dating back to 2018. The campaigns were based on several tools, including “living off the land” tools, which makes attribution difficult, as well as different hacking tools and a custom built backdoor.

Victims of the analyzed campaigns fit into the pattern preferred by this actor, such as air transport and government sectors in the Middle East.

Key Findings:

  • Campaign targeted air transportation and government
  • Attacker activity occurred on weekends
  • In the Kuwait attack, threat actors created their own user account
  • The Saudi Arabia attack relied on social engineering to compromise victims
  • The end goal of both attacks was likely data exploration and exfiltration

Attack Lifecycle

Reviewing telemetry regarding this threat, we have identified victims from two countries, Kuwait and Saudi Arabia.

The modus operandi in these counties shares some common stages, but the attacks seem more focused and sophisticated on victims from Kuwait.

All the tools mentioned below will be detailed in the next section, Tools Arsenal.

Kuwait attack chain

The first signs of compromise were several reverse TCP files and PowerShell commands that executed some base64 compressed code, specific to the Metasploit framework. Although difficult to speculate, it’s possible that the threat actors used tainted documents with shellcodes to compromise the victim, potentially disseminated through spearphishing emails.

Once the victims were compromised, attackers started to bring reconnaissance tools for network scanning (“xnet. exe”, “shareo.exe”) and credential gathering (as “mnl.exe” or “mimi32.exe”) or tools with multiple functionalities (for users’ enumeration, share listing, credentials harvesting and so on). This arsenal of tools helped attackers move laterally inside the networks. Several methods were observed for this operation, either by using psexec for remote service installation (also used by one of their custom tools “step-1.exe”), or through the use of RDP protocol, a fact denoted by some unusual activity outside working hours and the presence of tools such as “rdpwinst.exe”. 

Download the whitepaper to find out more.

Publisher's website.

DOWNLOAD

Price: FREE

DOWNLOAD COUNT: 1,230

SHARE:
Share on linkedin
Share on facebook
Share on twitter
Share on email

DOWNLOAD

Price: FREE

COVER

PROVIDER

Bitdefender
Bitdefender is a Romanian cybersecurity and anti-virus software company. Bitdefender develops and sells anti-virus software, internet security software, endpoint security software, and other cybersecurity products and services.

TOPICS

more from this PUBLISHER

More Evidence of APT Hackers-for-Hire Used for Industrial Espionage
Thu, Aug 27
Free Direct Download
More Evidence of APT Hackers-for-Hire Used for Industrial Espionage
Bitdefender
Cracking the August SmartLock: WiFi Password Eavesdropping Made Easy
Tue, Aug 11
Free Direct Download
Cracking the August SmartLock: WiFi Password Eavesdropping Made Easy
Bitdefender
StrongPity APT – Revealing Trojanized Tools, Working Hours and Infrastructure
Wed, Jul 01
Free Direct Download
StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure
Bitdefender
The Indelible Impact of COVID-19 on Cybersecurity
Thu, Jun 18
Free Direct Download
The Indelible Impact of COVID-19 on Cybersecurity
Bitdefender
BANNER FOR ADVERTISEMENT
BANNER FOR ADVERTISEMENT

MORE FOR YOU

Data Protection for ThinkAgile VX
Sun, Nov 15
Free Direct Download
Data Protection for ThinkAgile VX
Veeam Software
Detect & Respond to Ransomware with Veeam ONE
Sat, Nov 14
Free Direct Download
Detect & Respond to Ransomware with Veeam ONE
Veeam Software
Making an impact with Cloud Data Management
Thu, Nov 12
Free Direct Download
Making an impact with Cloud Data Management
Veeam Software
Mitigating Risk Against Ransomware in the Healthcare Sector
Tue, Nov 10
Free Direct Download
Mitigating Risk Against Ransomware in the Healthcare Sector
Veeam Software

TRENDING NOW IN THE MARKETPLACE

Data Protection for ThinkAgile VX
Sun, Nov 15
Free Direct Download
Data Protection for ThinkAgile VX
Veeam Software
Detect & Respond to Ransomware with Veeam ONE
Sat, Nov 14
Free Direct Download
Detect & Respond to Ransomware with Veeam ONE
Veeam Software
Making an impact with Cloud Data Management
Thu, Nov 12
Free Direct Download
Making an impact with Cloud Data Management
Veeam Software
Mitigating Risk Against Ransomware in the Healthcare Sector
Tue, Nov 10
Free Direct Download
Mitigating Risk Against Ransomware in the Healthcare Sector
Veeam Software
Scroll to Top