Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia

Overview

Chafer APT is a threat group with an apparent Iranian link. It is known to be active since 2014, focusing on cyber espionage campaigns. Bitdefender has spotted the group targeting critical infrastructure from the Middle East, presumably for intelligence gathering.

Bitdefender researchers have found attacks conducted by this actor in the Middle East region, dating back to 2018. The campaigns were based on several tools, including “living off the land” tools, which makes attribution difficult, as well as different hacking tools and a custom built backdoor.

Victims of the analyzed campaigns fit into the pattern preferred by this actor, such as air transport and government sectors in the Middle East.

Key Findings:

• Campaign targeted air transportation and government
• Attacker activity occurred on weekends
• In the Kuwait attack, threat actors created their own user account
• The Saudi Arabia attack relied on social engineering to compromise victims
• The end goal of both attacks was likely data exploration and exfiltration

Attack Lifecycle

Reviewing telemetry regarding this threat, we have identified victims from two countries, Kuwait and Saudi Arabia.

The modus operandi in these counties shares some common stages, but the attacks seem more focused and sophisticated on victims from Kuwait.

All the tools mentioned below will be detailed in the next section, Tools Arsenal.

Kuwait attack chain

The first signs of compromise were several reverse TCP files and PowerShell commands that executed some base64 compressed code, specific to the Metasploit framework. Although difficult to speculate, it’s possible that the threat actors used tainted documents with shellcodes to compromise the victim, potentially disseminated through spearphishing emails.

Once the victims were compromised, attackers started to bring reconnaissance tools for network scanning (“xnet. exe”, “shareo.exe”) and credential gathering (as “mnl.exe” or “mimi32.exe”) or tools with multiple functionalities (for users’ enumeration, share listing, credentials harvesting and so on). This arsenal of tools helped attackers move laterally inside the networks. Several methods were observed for this operation, either by using psexec for remote service installation (also used by one of their custom tools “step-1.exe”), or through the use of RDP protocol, a fact denoted by some unusual activity outside working hours and the presence of tools such as “rdpwinst.exe”. 

Download the whitepaper to find out more.