Iran-based hacking groups target ME region

Symantec reports that two hacking groups have been spying on targets
Iran-based hacking groups targeting ME region


Symantec says that it had identified two Iran-based hacking groups who are spying on individuals and organisations in the region.

The security company reports that the Cadelle and Chafer groups have been using back door threats to conduct targeted surveillance of domestic and international targets. Attacks have mainly been targeted at individuals in Iran, but have also been recorded in Iraq, the UAE and Saudi Arabia, and include airlines and telecoms companies, which Symantec says may have been intended to monitor targets' movements and communications.

The two groups are possibly related, although Symantec had no direct evidence of this, and may have been active since 2011.

The Cadelle group uses Backdoor.Cadelspy, while Chafer, uses Backdoor.Remexi and Backdoor.Remexi.B, all of which are capable of opening a back door and stealing information from victims' computers.

Cadelspy initially arrives on the computer as a dropper, which downloads two installer components catering to whether the victim is running a 32-bit or 64-bit system. The dropper then executes the appropriate installer, which launches Cadelspy's malicious payload and allows it to run whenever any Windows program is executed.

Cadelspy's main payload contains its back door functionality, allowing the threat to log keystrokes and the titles of open windows; gather clipboard data and system information; steal printer information and any documents that were sent to be printed; record audio and capture screenshots and webcam photos.

Cadelspy compresses all of the stolen data into a .cab file and uploads it to the attacker's Command and Control servers. The threat is also able to update its configuration file to gain additional features.

Remexi is a basic back door Trojan that allows attackers to open a remote shell on the computer and execute commands. Though this is unsophisticated, a remote shell does provide a highly flexible and powerful means of remote access in the hands of a skilled attacker.

Symantec says that it believes the groups are based in Iran, because of the targets of the attack, time of activity of the groups, and the use of the solar Hijri calendar in some of the code. The company says that both groups are still active and it expects their activities to continue.

Editor's Choice

Emerson expands analytics platform for industrial enterprise-level wireless infrastructure management
Plantweb Insight platform adds two new Pervasive Sensing applications that manage wireless networks more efficiently with a singular interface to the enterprise
Digitalisation seen as a competitive advantage by Middle East private businesses
Nearly 80 per cent of private business leaders acknowledge that digitalisation can impact business sustainability
Etisalat introduces Multi-Access Edge Computing architecture delivering best-in-class video streaming performance for 5G networks
MEC architecture achieves performance gains of as much as 90% in video streaming, validating how ultra-low-latency applications will be delivered over 4G and 5G networks

Most popular

Don't Miss a Story