Symantec says that it had identified two Iran-based hacking groups who are spying on individuals and organisations in the region.
The security company reports that the Cadelle and Chafer groups have been using back door threats to conduct targeted surveillance of domestic and international targets. Attacks have mainly been targeted at individuals in Iran, but have also been recorded in Iraq, the UAE and Saudi Arabia, and include airlines and telecoms companies, which Symantec says may have been intended to monitor targets’ movements and communications.
The two groups are possibly related, although Symantec had no direct evidence of this, and may have been active since 2011.
The Cadelle group uses Backdoor.Cadelspy, while Chafer, uses Backdoor.Remexi and Backdoor.Remexi.B, all of which are capable of opening a back door and stealing information from victims’ computers.
Cadelspy initially arrives on the computer as a dropper, which downloads two installer components catering to whether the victim is running a 32-bit or 64-bit system. The dropper then executes the appropriate installer, which launches Cadelspy’s malicious payload and allows it to run whenever any Windows program is executed.
Cadelspy’s main payload contains its back door functionality, allowing the threat to log keystrokes and the titles of open windows; gather clipboard data and system information; steal printer information and any documents that were sent to be printed; record audio and capture screenshots and webcam photos.
Cadelspy compresses all of the stolen data into a .cab file and uploads it to the attacker’s Command and Control servers. The threat is also able to update its configuration file to gain additional features.
Remexi is a basic back door Trojan that allows attackers to open a remote shell on the computer and execute commands. Though this is unsophisticated, a remote shell does provide a highly flexible and powerful means of remote access in the hands of a skilled attacker.
Symantec says that it believes the groups are based in Iran, because of the targets of the attack, time of activity of the groups, and the use of the solar Hijri calendar in some of the code. The company says that both groups are still active and it expects their activities to continue.