Security Experts:

Connect with us

Hi, what are you looking for?



Iran-Linked Chafer Group Expands Toolset, Targets List

The Iran-based targeted attack group known as “Chafer” has been expanding its target list in the Middle East and beyond and adding new tools to its cyberweapon arsenal, Symantec warns.

The Iran-based targeted attack group known as “Chafer” has been expanding its target list in the Middle East and beyond and adding new tools to its cyberweapon arsenal, Symantec warns.

Last year, the group engaged in a series of ambitious new attacks, hitting a major telecom companies in the Middle East and also attempting to attack a major international travel reservations firm. Active since at least July 2014 and already detailed a couple of years ago, Chafer is mainly focused on surveillance operations and the tracking of individuals.

During 2017, the group used seven new tools, rolled out new infrastructure, and hit nine new organizations in Israel, Jordan, the United Arab Emirates, Saudi Arabia, and Turkey. Targets included airlines, aircraft services, software and IT services firms serving the air and sea transport sectors, telecoms, payroll services, engineering consultancies, and document management software companies.

The group also targeted an African airline and attempted to compromise an international travel reservations firm, Symantec discovered.

Last year, Chafer compromised a telecoms services provider in the Middle East, a company that sells solutions to multiple telecom operators in the region. The compromise could have potentially allowed the attackers to carry out surveillance on a vast pool of end-users.

In attacks observed in 2015, the group was attacking the web servers of organizations, likely through SQL injection attacks. Last year, the group also started using malicious documents to drop malware, likely sent via spear-phishing emails to individuals working in targeted organizations.

Said documents were Excel spreadsheets carrying a malicious VBS file that would run a PowerShell script to execute a dropper on the compromised machine. In turn, the dropper would install an information stealer, a screen capture utility, and an empty executable.

The screen capture tool only had a role in the initial information gathering stage, the information stealer targeted the contents of the clipboard, took screenshots, recorded keystrokes, and stole files and user credentials. Next, the attackers would download additional tools onto the infected computer and attempted lateral movement on the victim’s network.

Recently, Chafer employed seven new tools in addition to the malware already associated with the group. Most of these tools, Symantec points out, are freely available, off-the-shelf tools that have been put to a malicious use.

These include Remcom, an open-source alternative to PsExec; Non-sucking Service Manager (NSSM), an open-source alternative to the Windows Service Manager; a custom screenshot and clipboard capture tool; SMB hacking tools, including the EternalBlue exploit; GNU HTTPTunnel, an open-source tool to create a bidirectional HTTP tunnel on Linux computers; UltraVNC, an open-source remote administration tool for Windows; and NBTScan, a free tool for scanning IP networks for NetBIOS name information.

Additionally, the group continued to use tools such as its own custom backdoor Remexi, PsExec, Mimikatz, Pwdump, and Plink.

Chafer apparently used the tools in concert to traverse targeted networks. NSSM was recently adopted for persistence and to install a service to run Plink, which opens reverse SSH sessions to presumably gain RDP access to the compromised computer. Next, PsExec, Remcom, and SMB hacking tools are leveraged for lateral movement.

The new infrastructure used in recent attacks included the domain win7-updates[.]com as a command and control (C&C) address, along with multiple IP addresses, though it’s unclear whether these were leased or hijacked. On a staging server apparently used by the attackers, the researchers found copies of many of the group’s tools.

According to Symantec, Chafer’s activities have some links to Oilrig, another Iran-based cyberespionage group. Both appear to be using the same IP address for C&C address, as well as a similar infection vector, an Excel document dropping a malicious VBS file referencing to the same misspelled file path.

While this could suggest that the two groups are one and the same, there isn’t enough evidence to support that hypothesis, Symantec says. More likely, the “two groups are known to each other and enjoy access to a shared pool of resources,” the researchers suggest.

Chafer’s recent activities show not only that the group remains highly active, but also that it has become more audacious in its choice of targets. Similar to other targeted attack groups, it has been relying on freely available software tools for malicious activities, and also moved to supply chain attacks, which are more time consuming and more likely to be discovered.

“These attacks are riskier but come with a potentially higher reward and, if successful, could give the attackers access to a vast pool of potential targets,” Symantec concludes.

Related: Iranian Hackers Use New Trojan in Recent Attacks

Related: Apparently Linked Iran Spy Groups Target Middle East

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.