Cyber espionage group targets embassies with spyware
Researchers from Kaspersky Lab have uncovered multiple attempts to infect foreign diplomatic entities in Iran with Homebrew spyware.
Homebrew is a free and open source software package management system.
According to Kaspersky, the attacks seem to be employing Remexi, a type of Trojan that opens a backdoor on the compromised machine.
Kaspersky Lab products detect the updated Remexi malware as Trojan.Win32.Remexi and Trojan.Win32.Agent.
However, several legitimate tools were also utilised during the campaign. The Remexi backdoor is linked to a suspected Farsi-speaking cyber espionage group known as Chafer, which in the past had been associated with cyber surveillance of individuals in the Middle East. The targeting of embassies could indicate the group has a new focus, the company adds.
"The operation highlights how threat actors in emerging regions are mounting campaigns against targets of interest using relatively basic Homebrew malware combined with publicly available tools. In this instance, the attackers used an improved version of the Remexi backdoor, a tool that enables remote administration of a victim's machine."
The researchers say Remexi was originally detected in 2015. The backdoor used in the new campaign has code similarities with known Remexi samples, and has similar target victims, suggesting a link to Chafer.
The newly discovered Remexi malware has the ability to execute commands remotely and seize screenshots, browser data including user credentials, login data and history, any typed text, and suchlike.
Combining malware, legitimate code
The stolen data is exfiltrated using the legitimate Microsoft Background Intelligent Transfer Service application, a Windows component designed to enable background Windows updates.
Denis Legezo, security researcher at Kaspersky Lab, says the trend towards combining malware with appropriated or legitimate code helps attackers save time and resources when creating malware and to make attribution more complicated.
"When we talk about likely state-sponsored cyber espionage campaigns, people often imagine advanced operations with complex tools developed by experts. However, the people behind this spyware campaign look more like system administrators than sophisticated threat actors," he explains.
Although they know how to code, their campaign depends largely on using existing tools creatively, as opposed to employing new, advanced features or elaborate architecture of the code.
"However, even relatively simple tools can cause significant damage, so we urge organisations to protect their valuable information and systems against all level of threats, and use threat intelligence to understand how the landscape is evolving," he concludes.