A newly uncovered spyware-slinging operation appears to have been targeting foreign diplomats in Iran for more than three years.
Researchers at Kaspersky Lab said this week that a new build of the Remexi software nasty, first seen in 2015, has been spotted lurking on multiple machines within Iran, mostly those located within what we assume are foreign embassy buildings. The Windows-targeting surveillance-ware was previously associated with a hacking group known as Chafer, and an examination of the latest strain suggests it is of Iranian origin.
“The malware can exfiltrate keystrokes, screenshots, browser-related data like cookies and history, decrypted when possible,” Kaspersky’s Denis Legezo said of the infection.
“The attackers rely heavily on Microsoft technologies on both the client and server sides: the Trojan uses standard Windows utilities like Microsoft Background Intelligent Transfer Service (BITS) bitsadmin.exe to receive commands and exfiltrate data.”
Curiously, Legezo said he does not yet know how the malware is spreading in the wild, just that it is targeting “foreign diplomatic entities” based within Iran.
“So far, our telemetry hasn’t provided any concrete evidence that shows us how the Remexi malware spread,” we’re told.
“However, we think it’s worth mentioning that for one victim we found a correlation between the execution of Remexi’s main module and the execution of an AutoIt script compiled as PE, which we believe may have dropped the malware.”
Once on a victim’s machine, the spyware is very persistent, hiding out in scheduled tasks, Userinit and Run registry keys in the HKLM hive, depending on the version of Windows it has infected. Data is exfiltrated to command and control servers using Microsoft’s bitsadmin.exe transfer utility.
According to timestamps in the malware, its development appears to have been completed in March 2018, though there are a few sections of the code that appear to be much older.