Chafer APT Hits Middle East Governments With Cyber-Espionage Attacks

Modus operandi

• In May 2020, it was found that the Chafer APT had been targeting unnamed government and air transportation companies in Kuwait and Saudi Arabia, using a bevy of custom-built tools, as well as “living off the land” tactics.
• The hackers initially infected victims in Kuwait using tainted documents with shellcodes, potentially sent via spear-phishing emails, and also managed to create a new user account on the victims’ machine.
• The attackers installed a backdoor, deployed several network-scanning and credential-gathering tools (like CrackMapExec and PLINK tool), and moved laterally across the network. They relied on the Non-Sucking Service Manager (NSSM) for service monitoring.

Activities and tools attributed to Chafer APT

• In January 2020, Palo Alto Networks observed that some HTML code was injected on a Kuwaiti organization’s website. It was used as an apparent watering hole for credential harvesting. The IP addresses used in DNS hijacking activities were found linked to OilRig and Chafer.
• In June 2019, IBM X-Force (IRIS) analysis correlated or closely aligned hacker ITG07 operations to other groups such as Chafer and APT39. Both the hacker groups used a custom Remote Access Trojan (RAT) named TREKX.
• In March 2019, the NCCGroup report linked Chafer with several custom-made tools, variants of the Remexi malware, and publically available tools such as ‘Mimikatz’ or ‘PsExec’.

Additional analysis

• Chafer APT mainly targets air transport and government sectors in the Middle East.
• While attacking the victims in Kuwait, the gang created their own new user accounts, but for targeting Saudi Arabian victims, they relied on social engineering tactics.
• The group’s motive is to explore and exfiltrate the data for espionage purposes.

Stay safe