New Python-based Payload MechaFlounder Used by Chafer
(Mar 4, 2019)
The threat group, "Chafer," has been observed targeting Turkish government institutions and attempting to install a Python-based trojan, dubbed "MechaFlounder," according Palo Alto Networks researchers. Although the initial infection vector is unclear to researchers, users somehow download a file that initiates the payload to begin installation. MechaFlounder functions as a backdoor that allows the threat group to upload and download files remotely on a machine, as well as run other commands onto an infected machine received via the Command and Control (C2) server. This new malware appears to have been developed with both custom code and code snippets that are available via open-source.
Recommendation: Defence-in-depth (layering of security mechanisms, redundancy, fail-safe defence processes) is the best way to ensure safety from threat actors, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.