Chafer Used Remexi Malware to Spy on Iran-based Foreign Diplomatic Entities
(Jan 30, 2019)
A campaign targeting foreign diplomatic entities in Iran has been observed to install the malware, “Remexi,” according to researchers from Kaspersky Lab. The campaign is attributed to the Advanced Persistent Threat (APT) group, “Chafer.” It is unclear how the campaign is initiated, but once the malware is on a machine, it has the ability to keylog, take screenshots, obtain credentials, view logon and browser history, and execute remote commands. It establishes persistence in a network by utilising scheduled tasks and system registries.
Recommendation: It is crucial that your company ensure that machines are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for work machines and devices in order to conduct your business needs safely. In addition, policies should be in place in regards to bring-your-device to consider every IoT device as a potential security liability. Furthermore, always practice defence-in-depth (do not rely on single security mechanisms - security measures should be layered, redundant, and fail-safe).
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.