A hacking group has used a specific malware variant for the last three years to spy on “foreign diplomatic entities” operating inside Iran, advancing its reputation as an espionage group that previously targeted telecoms throughout the Middle East.
The Chafer cyber espionage group deployed malware known as Remexi to steal user credentials, record keystrokes, browser history and take covert screenshots on targeted machines through late 2018, according to Kaspersky research published Wednesday.
Few specifics are known about the operation, including concrete details on how the malware spreads. However Kaspersky’s new research builds on previous Symantec findings which determined that Chafer attacked telecommunication companies, an airline in the Middle East and at least one business in the U.S. The group now appears to be targeting Windows machines located inside Iran, Kaspersky said this week.
“The vast new majority of the users targeted by this new variant of Remexi appear to have Iranian IP addresses,” researcher Denis Legezo wrote in a blog post. “Some of these appear to be foreign diplomatic entities based in the country.”
Kaspersky did not directly attribute Remexi or Chafer activity to any group or individual in Iran. A close inspection of the code in the Remexi malware includes the word “salamati,” which translates to “health” in Farsi, Legezo said.
Chafer was first detected by Symantec in 2015. The group since has used hacking tools like EternalBlue, which was stolen from the National Security Agency and posted on the public internet, as CyberScoop has reported. Chafer has used Eternal Blue in its own targeted campaigns.
Top U.S. intelligence officials this week testified to Congress that Iran is among the nations with the most active hacking operations. The country’s capabilities do not appear to be as robust as the Chinese, though Iranian operators have invested in their efforts to spread Tehran’s message through social media. Facebook on Thursday said it removed 783 pages that were engaged in “coordinated inauthentic behavior” in what was only the latest takedown involving suspected Iranian propaganda.