Government and air transportation companies in Kuwait and Saudi Arabia were targeted in a recent attack tracked back to the Chafer APT.
Researchers have uncovered new cybercrime campaigns from the known Chafer advanced persistent threat (APT) group. The attacks have hit several air transportation and government victims in hopes of data exfiltration.
The Chafer APT has been active since 2014 and has previously launched cyber espionage campaigns targeting critical infrastructure in the Middle East. This most recent wave of cyberattacks started in 2018 and have lasted until at least the end of 2019, targeting several unnamed organizations based in Kuwait and Saudi Arabia. The campaigns used a bevy of custom-built tools, as well as “living off the land” tactics. Living off the land tools are features already existing in the target environment, which are abused by attackers to help them achieve persistence.
“Researchers have found attacks conducted by this actor in the Middle East region, dating back to 2018,” according to a Thursday Bitdefender analysis. “The campaigns were based on several tools, including ‘living off the land’ tools, which makes attribution difficult, as well as different hacking tools and a custom built backdoor. Victims of the analyzed campaigns fit into the pattern preferred by this actor, such as air transport and government sectors in the Middle East.”
Liviu Arsene, global cybersecurity analyst with Bitdefender, told Threatpost that researchers can’t specify how many companies have been targeted in each country. However, “it is safe to estimate that the cybercriminal group likely went after more than those we investigated,” he said.
While the modus operandi behind the attacks against firms in Kuwait and Saudi Arabia shared “some common stages,” researchers noted that the attacks on victims from Kuwait were more sophisticated as attackers were able to move laterally on the network. Researchers believe the threat actors initially infected victims using tainted documents with shellcodes, potentially sent via spear-phishing emails.
“During our investigation, on some of the compromised stations we observed some unusual behavior performed under a certain user account, leading us to believe the attackers managed to create a user account on the victims’ machine and performed several malicious actions inside the network, using that account,” said researchers.
Once they gained a foothold inside the company, attackers then installed a backdoor (imjpuexa.exe), that was executed as a service on some machines. Attackers also deployed several network-scanning and credential-gathering tools used for reconnaissance and to help them move laterally inside the network. For instance, attackers deployed CrackMapExec, a multi-purpose tool used for network scanning, credential dumping, accounts discovery and code injection.
Another custom tool of note that attackers utilized is a modified PLINK tool (called wehsvc.exe). PLINK is a command-line connection tool mostly used for automated operations. The PLINK tool used in the campaign preserves the original functionality, with some new key features such as the possibility to run as a Windows service or to uninstall the service.
“We believe this tool may have been used either to communicate with the [command and control server] C2 or to gain access to some internal machines, but found no conclusive evidence to support these scenarios,” said researchers.
While the attack on the victim in Kuwait achieved further lateral movement, researchers said the attack on the victim in Saudi Arabia was not as elaborate, “either because the attackers did not manage to further exploit the victim, or because the reconnaissance revealed no information of interest.”
For these attacks, researchers said they believe “initial compromise was achieved through social engineering.” After initial compromise, a RAT was loaded and executed twice, with different names (“drivers.exe” and “drivers_x64.exe”). The two executions were three minutes apart, leading researchers to believe that the user was tricked into running them.
The RAT was written in Python and converted into a standalone executable: “Some RATs are very similar to tools that have been previously documented by security researchers, but have been customized for this particular attack,” Arsene told Threatpost. “It’s not uncommon for cybercriminal groups to tweak their tools based on either victim profile or immediate needs. For example, they might change the way the RAT communicates with the C2 server, or they can add other features that were not necessary in the past but currently prove useful.”
Researchers also found three different RAT components that were used at different times. One of these components (“snmp.exe”) was the same as the backdoor (“imjpuexa.exe”) used on the targeted attacks in Kuwait – leading researchers to link the two campaigns.
“While this attack was not as extensive as the one in Kuwait, some forensic evidence suggests that the same attackers might have orchestrated it,” they said. “Despite the evidence for network discovery, we were not able to find any traces for lateral movement, most probably because threat actors were not able to find any vulnerable machines.”
Of note, the threat actor also used “living off the land” tools extensively in both campaigns. This included the heavy use of the Non-Sucking Service Manager (NSSM), which is a legitimate service manager for Microsoft Windows. The NSSM utility manages background and foreground services and processes. Researchers believe the APT used NSSM for ensuring that its critical components, such as the RAT, are up and running.
“We estimate that attackers relied on NSSM to make sure that the services they were monitoring were actually running and not terminated or stopped,” Arsene explained. “It’s a way of ensuring persistence for malicious services and restarting them if they are inadvertently killed or stopped by various other applications.”
So far, all of the incidents that researchers uncovered have been stopped: “the investigation in both countries was stopped before concluding when or if the cyberattack had stopped,” Arsene said. “It’s likely that… local authorities were notified and decided to continue the investigation locally.”
Researchers linked these campaigns with Chafer because some of the tools used bear similarities to the tools used in previously-documented Chafer APT attacks. The C2 domains in these attacks have been previously associated with the same cybercriminal group, Arsene told Threatpost.
It’s only the latest campaign for the Chafer APT. Last year, the Iran-linked APT was spotted targeting various entities based in Iran with an enhanced version of a custom malware that takes a very unique approach to communication by using the Microsoft Background Intelligent Transfer Service (BITS) mechanism over HTTP. Another campaign in February, launched by two Iran-backed APTs who were possibly working together to compromise high-value organizations from the IT, telecom, oil and gas, aviation, government and security sectors in Israel, was loosely linked to the Chafin APT after researchers noted an overlap in approaches.
That said, cyber-espionage campaigns have spiraled downwards overall over the past year, according to the recent 2020 Verizon Data Breach Investigations Report (DBIR), dropping from making up 13.5 percent of breaches in 2018 to a mere 3.2 percent of data breaches in 2019.