Chafer APT Hits Middle East Governments With Cyber-Espionage Attacks

The Iran-linked Chafer APT, also sometimes referred to as a subgroup of APT34 (OilRig), is a threat actor group that has been spotted launching cyber-espionage campaigns against critical infrastructure in the Middle East, presumably for intelligence gathering.

Modus operandi

It was recently revealed that the cyber-espionage campaigns that started in 2018 and lasted until at least the end of 2019, were linked to Chafer APT.
  • In May 2020, it was found that the Chafer APT had been targeting unnamed government and air transportation companies in Kuwait and Saudi Arabia, using a bevy of custom-built tools, as well as “living off the land” tactics.
  • The hackers initially infected victims in Kuwait using tainted documents with shellcodes, potentially sent via spear-phishing emails, and also managed to create a new user account on the victims’ machine.
  • The attackers installed a backdoor, deployed several network-scanning and credential-gathering tools (like CrackMapExec and PLINK tool), and moved laterally across the network. They relied on the Non-Sucking Service Manager (NSSM) for service monitoring.

Activities and tools attributed to Chafer APT

The Chafer group has remained active in different campaigns while developing custom tools to use in its operations. The analysis of the other group activities also established a connection between this hacker group and others with some newer tactics.
  • In January 2020, Palo Alto Networks observed that some HTML code was injected on a Kuwaiti organization’s website. It was used as an apparent watering hole for credential harvesting. The IP addresses used in DNS hijacking activities were found linked to OilRig and Chafer.
  • In June 2019, IBM X-Force (IRIS) analysis correlated or closely aligned hacker ITG07 operations to other groups such as Chafer and APT39. Both the hacker groups used a custom Remote Access Trojan (RAT) named TREKX.
  • In March 2019, the NCCGroup report linked Chafer with several custom-made tools, variants of the Remexi malware, and publically available tools such as ‘Mimikatz’ or ‘PsExec’.

Additional analysis

Bitdefender analyzed the Chafer APT campaigns, and according to their research, the threat group historically follows a set pattern to target victims.
  • Chafer APT mainly targets air transport and government sectors in the Middle East.
  • While attacking the victims in Kuwait, the gang created their own new user accounts, but for targeting Saudi Arabian victims, they relied on social engineering tactics.
  • The group’s motive is to explore and exfiltrate the data for espionage purposes.

Stay safe

Users should use a secure VPN to encrypt sensitive data and protect it from prying eyes. Install and regularly update anti-virus software, firewalls, and email filters. Always backup your data regularly.