1 min read

Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia

Liviu ARSENE

May 21, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia

Bitdefender researchers have found attacks conducted by the Chafer APT threat group – known to have an apparent Iranian link – in the Middle East region, dating back to 2018. The campaigns were based on several tools, including “living off the land” tools, which makes attribution difficult, as well as different hacking tools and a custom built backdoor.

Victims of the analyzed campaigns fit into the pattern preferred by this actor, such as air transport and government sectors in the Middle East.

During one analyzed incident, the operation potentially lasted more than one and a half years, during which time the APT group deployed various tools for persistence and lateral movement.

Some of the most interesting findings of the investigation involve attacker activity that occurred during weekends and attacker-created user accounts, with a potential end goal of data exploration and exfiltration.

Key findings:

  • Campaign targeted air transportation and government
  • Attacker activity occurred on weekends
  • In the Kuwait attack, threat actors created their own user account
  • The Saudi Arabia attack relied on social engineering to compromise victims
  • The end goal of both attacks was likely data exploration and exfiltration

For the full report and the complete analysis of the analyzed components, please check the research paper available below. An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users.

Download the whitepaper

tags


Author



Right now

Top posts

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

July 21, 2021

9 min read
How We Tracked a Threat Group Running an Active Cryptojacking Campaign

How We Tracked a Threat Group Running an Active Cryptojacking Campaign

July 14, 2021

10 min read
A Note from the Bitdefender Labs Team on Ransomware and Decryptors

A Note from the Bitdefender Labs Team on Ransomware and Decryptors

May 26, 2021

2 min read
New Nebulae Backdoor Linked with the NAIKON Group

New Nebulae Backdoor Linked with the NAIKON Group

April 28, 2021

1 min read
Good riddance, GandCrab! We’re still fixing the mess you left behind.

Good riddance, GandCrab! We’re still fixing the mess you left behind.

June 17, 2019

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
Bogdan BOTEZATUVictor VRABIE
9 min read
Debugging MosaicLoader, One Step at a Time Debugging MosaicLoader, One Step at a Time
Janos Gergo SZELESBogdan BOTEZATU
1 min read
How We Tracked a Threat Group Running an Active Cryptojacking Campaign How We Tracked a Threat Group Running an Active Cryptojacking Campaign
Bitdefender

July 14, 2021

10 min read