“Chafer’s recent activities indicate that the group remains highly active, is continuing to hone its tools and tactics, and has become more audacious in its choice of targets.”
A digital security specialist has raised concerns of the "heightened ambitions" of a cyberattack group from Iran which is threatening to resurface and pose a real risk to transport networks in the Middle East. The Iranian hacking group, Chafer, last year targeted a range of organisations in the region with the motive of gathering intelligence, using infected Microsoft Excel documents to gain unlawful access to “airlines and aircraft services”. The illegal group also attacked telecoms and travel reservation companies.
Symantec, the California-based software company, published on its website that Chafer has traditionally focused its attention on the countries Jordan, Israel, The United Arab Emirates, Turkey and Saudi Arabia and became active since at least July 2014. Since then the hacking group has employed new strategies, introducing seven new tools that have led to it infiltrating nine new organisations in the Middle East.
Exposing the companies to malicious file hidden in an Excel document, which then installs three files on the computer and steals information from the compromised computer, Chafer reportedly accessed a telecoms company in the Middle East to facilitate surveillance of the company’s end-user customers and give the hackers a “vast pool” of new targets. It’s that approach that ultimately led Chafer to infiltrate an African airline, the details of which were harvested from the database of a travel reservations company.
Providing details on the seven new systems that Chafer is using, as well as malware the group is known to have already used, Symantec revealed that many of them are “freely available, off-the-shelf” tools that are then put to a malicious use.
- Remcom: An open-source alternative to PsExec, which is a Microsoft Sysinternals tool used for executing processes on other systems
- non-sucking Service Manager (NSSM): An open-source alternative to the Windows Service Manager which can be used to install and remove services and will restart services if they crash.
- a custom screenshot and clipboard capture tool
- SMB hacking tools: Used in conjunction with other tools to traverse target networks. These tools include the EternalBlue exploit (which was previously used by WannaCry and Petya)
- GNU HTTPTunnel: An open-source tool that can create a bidirectional HTTP tunnel on Linux computers, potentially allowing communication beyond a restrictive firewall
- UltraVNC: An open-source remote administration tool for Microsoft Windows
- NBTScan: A free tool for scanning IP networks for NetBIOS name information.
You may also be interested in this from Transport Security World…