Updated version of Remexi malware leveraged to spy on foreign diplomats in Iran

• The malware boasts a variety of capabilities such as recording keystrokes, taking screenshots of Windows and stealing credentials, logins, and the browser history.
• Once installed, the malware first connects with the C2 server of hackers in order to receive malicious commands.

An updated version of Remexi malware was used in a cyber-espionage campaign that targeted Iranian IP addresses late last year. The goal of the campaign was to infect systems that belonged to foreign diplomats residing in Iran’s border.

Remexi malware is typically associated with an APT group named Chafer. According to Denis Legezo, a researcher from Kaspersky, the malware’s use in the 2018 campaign suggests that Iranian actors may have executed a domestic operation against these foreign diplomatic entities.

Remexi malware capabilities

Although Remexi originally dates back to at least 2015, the newest module’s was observed by researchers in March 2018.

“The main tool used in this campaign is an updated version of the Remexi malware, publicly reported by Symantec back in 2015. The newest module’s compilation timestamp is March 2018. The developers used GCC compiler on Windows in the MinGW environment,” said Legezo in a blog post.

The malware boasts a variety of capabilities such as recording keystrokes, taking screenshots of Windows, stealing credentials, logons and the browser history and executing remote commands.

Once installed, the malware first connects with the C2 server of hackers in order to receive malicious commands.

“Its C2 is based on IIS using .asp technology to handle the victims’ HTTP requests. All the commands received from the C2 are first saved to an auxiliary file and then stored encrypted in the system registry. The standalone thread will decrypt and execute them,” Legezo explained.

There is no evidence of how the new variant of Remexi spreads. However, in one instance of infection, researcher Legezo was able to establish a connection between Remexi and an AutoIT script compiled as a PE file. Kaspersky believes that this executable may have been used to drop the Remexi malware.