Rewterz Threat Alert – Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia

Severity

High

Analysis Summary

Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia in two different campaigns where likely the target of both campaigns was data exploration and exfiltration. In the Kuwait attack, threat actors created their own user account  and in the Saudi Arabia attack relied on social engineering to compromise victims 

Kuwait attack

The first signs of compromise were several reverse TCP files and PowerShell commands that executed some base64 compressed code, specific to the Metasploit framework. Once the victims were compromised, attackers started to bring reconnaissance tools for network scanning (“xnet. exe”, “shareo.exe”) and credential gathering (as “mnl.exe” or “mimi32.exe”) or tools with multiple functionalities, such as CrackMapExec (for users’ enumeration, share listing, credentials harvesting and so on). Once they gained a foothold inside the company, they started to install custom modules: a modified Plink (wehsvc.exe) installed as a service, as well as a backdoor (imjpuexa.exe), which was also executed as a service on some machines. 

Saudi Arabia attack

The initial compromise was achieved through social engineering. The RAT component was located in the %Download% folder, which is the default folder for any download process, while its parent process was actually explorer. exe; indicating that the user executed the malicious file. Also, the RAT was executed twice, with different names (“drivers.exe” and “drivers_x64.exe”). Internal network reconnaissance seems to have been performed using the “etblscanner.exe” tool. We also spotted the use of three different RAT components.

Impact

Data exfiltration

Indicators of Compromise

MD5

• efbd849619aee8bd3429dd9ccb2a1995
• dd9589b206791307d25e63d793c2ca31
• dc5695024cd23c90883db145cb236490
• d0e74da12c5e8d35f6db1ae0c60748b7
• 894fd325751465d6f48c17106a1a91d1

SHA-256

• 5ee9873c3c8684ac097bd28d3caf4264c6da6aa6acfeb8f6e72f1a99215a4be8
• 710e32af0d41a6701d57337701b091b158add04a601b68cca67a808bdd87d881
• d965352c6632e694b8f1f62f96874bd0df8d7c128c465ee9a76eb86ebddb0c02
• 11dbfb390f7008524e523da7d0cda61723584082fc91ff96d1148c4aac6198a0
• c839e886b98d2c752a134e888dad40799cd9966f8a73b51edc85ca2d72f99616
• 144a160c57c2d429d072046edfdd1b44ff22bcae4f0535732f6c2b19190f2f35
• 508ba7971b1f7651ba7d26815f75d66977820bd4eb3a615e3ab7079058d80380
• f991cadf11c5075f0ed6f381dfdac311cf59480962debf8b874f95e9bee5c4f2
• 021813c78cf31b0d7e77b40374347d8ed4e5a5ca69a7fc29bbc7bff969c09f3c
• b297a0b2e775f096d9ebda6130abbb5ec59813c7703159ea191b47d7b7293e1e
• a1f5c72721f9aa2ca29f1de7645a64b505c05dcd53dbdd7b9e904b1627c6d578
• 98a9b2329eefe618daa78b6afed82cebf40cb918ad0aae7a8d7f59af4cb13b41

SHA1

• aa0992ad9203168184a0f41e40ac901ec3f68afb
• 1b3c5d8a2844b6e0c839a670065e59a7cee05474
• 8eb9bfc25faf12ce359cef2fbddb8db4d9f5bfd7
• b90205c684255ac11e0384af1fc7718573754f68
• 06461f22ef82e993f055024891ff735c910421ad

Remediation

Block all threat indicators at your respective controls.
Always be suspicious about emails sent by unknown senders.
Never click on the links/attachments sent by unknown senders