Chafer threat actor group: A deep understanding of the Iran-linked threat group’s high-prolific targets

• Chafer has compromised several airlines and telecommunications companies in the Middle East countries such as Saudi Arabia and Afghanistan.
• Chafer has used leaked NSA hacking tools including EternalBlue that are freely available on the public internet.

Chafer hacking group, also known as APT39 is an advanced persistent threat group that has been active since July 2014. Chafer has been observed compromising web servers via SQL injection attacks in order to drop Backdoor.Remexi onto victims’ computers. Chafer primarily targets victims in Iran, followed by Middle East countries, and the United States.

Chafer linked to OilRig group

Experts noted that Chafer is linked to a group called OilRig that has shared its C&C server and infection vectors with Chafer. Chafer has used leaked NSA hacking tools including EternalBlue that are freely available on the public internet.

Chafer targeted telecoms in the Middle East

In 2015, Chafer compromised several airlines and telecommunications companies in the Middle East countries such as Saudi Arabia and Afghanistan, while one organization was located in the US.

Backdoors used by Chafer

In 2019, Chafer targeted Windows machines located in Iran with the Remexi malware which is capable of stealing user credentials, recording keystrokes, browser history and taking screenshots on targeted machines. Researchers noted that Chafer threat group uses Remexi backdoor to steal usernames and passwords in order to propagate further across the network.

• Chafer has used MechaFlounder backdoor to target Turkish government firm in November 2018.
• Apart from Remexi and MechaFlounder backdoor, Chafer was also spotted using other backdoors such as SEAWEED, CACHEMONEY, and a specific variant of the POWBAT backdoor.

Furthermore, Chafer threat group has exploited vulnerable web servers of targeted organizations in order to install web shells such as ANTAK and ASPXSPY, and has used stolen credentials to compromise externally facing Outlook Web Access (OWA) resources.