Chafer APT group used new MechaFlounder backdoor in attacks against Turkish government firm in 2017

• The threat group targeted the Turkish government firm that used the domain win10-update[.]com.
• The Chafer APT group specifically exploited this domain to deliver the new MechaFlounder malware.

New details regarding the infamous Iran-linked Chafer APT group has surfaced recently. The threat actor which is active since November 2014, has been found using a new Python-based backdoor named MechaFlounder, to launch its attack campaign. The backdoor malware was actively used by the hacking group to carry out attacks against a Turkish government entity in November 2018.

The big picture - Experts from Palo Alto observed that the threat group targeted a Turkish government firm that used the domain win10-update[.]com. This domain was previously exploited by the APT group in early 2018. The Chafer APT group specifically exploited this domain to deliver the new MechaFlounder malware. This is the first instance where the group has been spotted using a Python-based payload to launch its attack.

“This is the first instance where Unit 42 has identified a Python-based payload used by these operators. We’ve also identified code overlap with OilRig’s Clayside VBScript but at this time track Chafer and OilRig as separate threat groups. We have named this payload MechaFlounder for tracking purposes,” Palo Alto Networks researchers explained.

About MechaFlounder - According to the experts, the malware was used as a secondary payload. The MechaFlounder was also used by the APT group as a post-exploitation tool. It is bundled as a portable executable using the PyInstaller tool. As a secondary payload, MechaFlounder allows the attackers to upload and download files, run arbitrary commands and applications on compromised systems.

Once installed, the backdoor enters a loop and continuously attempts to communicate with the C2 server via HTTP.

“To upload a specified file from the compromised system to the C2 server, the Trojan uses the Browser class in the mechanize module (partial basis of the MechaFlounder name) to submit the file to an HTML form on the C2 server. Serve HTML that contains a form to receive uploaded files,” said the experts.

After carrying out the activities for the command, the Trojan will encode the results or output message of the command using the ‘base64.b16encode’ method. Each command has an output message for both a successful and failed execution of the command with the exception of ‘empty’ and ‘terminate’.”

What’s in store for Chafer?

The newly discovered MechaFlounder backdoor has been created by Chafer using both new and publicly available code. It is believed that the trojan contains sufficient functionality for the Chafer group to carry out the malicious activities and accomplish their goals. This indicates that the threat actor group can use the malware to upload and download files successfully as well as execute arbitrary commands on affected systems.