A cyberespionage campaign targeted Iranian IP addresses late last year, with the goal of infecting victims with an updated version of Remexi backdoor malware, researchers have reported. Some of these IP addresses belong to foreign diplomatic entities located within Iran’s borders.
Remexi is typically associated with a reputed Iranian APT group known as Chafer. Its use in the 2018 campaign suggests that Iranian actors may have executed a domestic espionage operation against entities within its own borders, researchers with Kaspersky Lab are reporting.
Kaspersky originally analyzed the threat back in autumn of 2018, before privately sharing an intelligence report with its customers in November. But today Kaspersky publicly shared its findings in a blog post authored by Denis Legezo, security researcher with the company’s Global Research and Analysis Team (GReAT).
Although Remexi originally dates back to at least 2015, the version Kaspersky analyzed had a March 2018 compilation time stamp. According to Kaspersky, Remexi’s spyware capabilities include capturing keystrokes, screenshots, credentials, and browser data such as cookies and history, and then communicating this data to the attackers.
Moreover, “the attackers rely heavily on Microsoft technologies on both the client and server sides,” Legezo writes. “The Trojan uses standard Windows utilities like Microsoft Background Intelligent Transfer Service (BITS) bitsadmin.exe to receive commands and exfiltrate data,” and the C&C architecture “is based on IIS using .asp technology to handle the victims’ HTTP requests.”
Kaspersky found no conclusive evidence pointing to how Remexi was spread. However, in one instance of infection, researchers were able to establish a connection between Remexi and an AutoIT script compiled as a PE file. Kaspersky believes this executable may have been a dropper that used an FTP with hard-coded credentials to receive the Remexi payload.