**Blogs** **Security Response** # Security Response ### +2 **2 Votes** ##### Symantec Official Blog ## Iran-based attackers use back door threats to spy on Middle Eastern targets #### Two Iran-based attack groups that appear to be connected, Cadelle and Chafer, have been using Backdoor.Cadelspy and Backdoor.Remexi to spy on Iranian individuals and Middle Eastern organizations. **By: Symantec Security Response** **SYMANTEC EMPLOYEE** **Created 07 Dec 2015** **0** **Translations: ⽇本[語]** **Share** **Two teams of Iran based attackers have been using back door threats to conduct targeted** ----- **individuals located in Iran, they’ve also compromised airlines and telecom providers in the** **Middle East region, possibly in an attempt to monitor targets’ movements and** **communications.** **The attackers are part of two separate groups that have a shared interest in targets. One** **[group, which we call Cadelle, uses Backdoor.Cadelspy, while the other, which we’ve named](https://www.symantec.com/security_response/writeup.jsp?docid=2015-090808-1754-99)** **[Chafer, uses Backdoor.Remexi and Backdoor.Remexi.B. These threats are capable of](https://www.symantec.com/security_response/writeup.jsp?docid=2015-110911-3433-99)** **opening a back door and stealing information from victims’ computers** **The Cadelle and Chafer groups** **Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July** **2014, however, it’s likely that activity began well before this date. Command-and-control** **(C&C) registrant information points to activity possibly as early as 2011, while executable** **compilation times suggest early 2012. Their attacks continue to the present day. Symantec** **estimates that each team is made up of between 5 and 10 people.** **The back door threats that the groups use appear to be custom made. It’s unclear how** **Cadelle infects its targets with Backdoor.Cadelspy. However, Chafer has been observed** **compromising web servers, likely through SQL injection attacks, to drop Backdoor.Remexi** **onto victims’ computers. Chafer then uses Remexi to gather user names and passwords to** **help it spread further across the network.** **There is evidence to suggest that the two teams may be connected in some way, though we** **cannot confirm this. A number of computers experienced both Cadelspy and Remexi** **infections within a small time window. In one instance, a computer was compromised with** **Backdoor.Cadelspy just minutes after being infected with Backdoor.Remexi. The Cadelle** **and Chafer groups also keep the same working hours and focus on similar targets.** **However, no sharing of C&C infrastructure between the teams has been observed.** **If Cadelle and Chafer are not directly linked, then they may be separately working for a** **single entity. Their victim profile may be of interest to a nation state.** **The victims** **Data from Cadelle’s C&C servers shows that a large number of Backdoor.Cadelspy** **infections affected individual users of Iranian internet service providers (ISPs) and hosting** **services. This suggests that the majority of victims are based in Iran. There was also a** **significant amount of individual targets that used anonymous proxy services to go online.** **Reports have shown that many Iranians avail of these services to access sites that are** **blocked by the government’s internet censorship measures. Dissidents, activists, and** **researchers in the region may use these proxies in an attempt to keep their online activities** ----- **_Figure 1. Backdoor.Cadelspy infections by region_** **In terms of targeted organizations, both Cadelle and Chafer seem to be interested in a** **similar category of organizations, such as airlines and telecom companies. The affected** **organizations we were able to identify are mostly based in the Middle East region in** **countries such as Saudi Arabia and Afghanistan, while one organization is located in the US.** **_Figure 2. Number of unique organizations hit with Backdoor.Cadelspy and Backdoor.Remexi_** **_from July 2014 to October 2015_** **Our telemetry shows that among more than a dozen entities that experienced Cadelspy and** **Remexi infections, four of them were compromised with both of the threats at some stages.** **In most instances, victim computers were infected with either Backdoor.Cadelspy or** **Backdoor.Remexi, not both. Less than five percent of computers were infected with both** **malware families. In one affected organization, there was intermittent activity between the** ----- **The malware’s activity on victim computers appears to depend on the targets. One** **computer that was infected with both Cadelspy and Remexi was a system that ran a SIM** **card editing application. Other compromised computers included those belonging to web** **developers, or are file and database servers.** **The nature of the victims suggests that Cadelle and Chafer are primarily interested in** **tracking individuals in terms of their movements and communications. Compromising** **regional telcos and airlines can help the attackers achieve this aim.** **Based in Iran?** **There are a number of factors in these groups’ campaigns that suggests that the attackers** **may be based in Iran. Cadelle and Chafer are most active during the day time within Iran’s** **time zone and primarily operate during Iran’s business week (Saturday through Thursday).** **_Figure 3. Cadelle and Chafer’s activity levels by hour in Iran’s time zone (UTC +3.5)_** **Additionally, Symantec observed that Backdoor.Cadelspy’s file strings seem to include dates** **[written in the Solar Hijri calendar, which is used in Iran and Afghanistan. While the Gregorian](https://en.wikipedia.org/wiki/Solar_Hijri_calendar)** **calendar marks the current year as 2015, the Solar Hijri calendar states that it is 1394.** **When we converted the dates in the file strings from the Solar Hijri calendar to the Gregorian** **one, we found that they were close to the compilation times of the executables and also** **close to when Cadelle’s targets were initially compromised.** **Based on our analysis, we believe that Cadelle and Chafer’s victims are most likely to be of** **interest to an Iranian entity. Cadelle and Chafer are by no means the first Iran-based attack** **t** **Oth** **tt ib t d t** **I** **i** **tt** **k** **h** **R** **k t Kitt** **h** ----- **journalists, and dissidents. Backdoor.Remexi activity in particular is reminiscent of Operation** **[Cleaver, as documented by Cylance, and may possibly be a continuation of that activity.](http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf)** **Cadelle and Chafer’s malware** **The groups use one malware family each to open a back door and steal information from** **the compromised computer. Cadelle uses Backdoor.Cadelspy while Chafer operates with** **Backdoor.Remexi and Backdoor.Remexi.B.** **Cadelspy initially arrives on the computer as a dropper, which downloads two installer** **components catering to whether the victim is running a 32-bit or 64-bit system. The dropper** **then executes the appropriate installer, which launches Cadelspy’s malicious payload and** **allows it to run whenever any Windows program is executed.** **Cadelspy’s main payload contains its back door functionality, allowing the threat to carry out** **the following activities:** **Log keystrokes and the titles of open windows** **Gather clipboard data and system information** **Steal printer information and any documents that were sent to be printed** **Record audio** **Capture screenshots and webcam photos** **Cadelspy compresses all of the stolen data into a .cab file and uploads it to the attacker’s** **C&C servers. The threat is also able to update its configuration file to gain additional** **features.** **Meanwhile, Chafer’s threat Remexi contains fewer features than Cadelle’s Cadelspy does.** **Remexi is a basic back door Trojan that allows attackers to open a remote shell on the** **computer and execute commands. Though this is unsophisticated, a remote shell does** **provide a highly flexible and powerful means of remote access in the hands of a skilled** **attacker.** **Mitigation** **Cadelle and Chafer’s activities show that attack groups don’t need advanced skills to** **conduct effective targeted espionage against victims. The two groups’ threats have** **managed to remain on their targets’ computers for almost a year, potentially giving the** **attackers access to an enormous amount of sensitive information. They’re also aware that** **they don’t only have to directly attack the individuals, as they can get to their victims by** **compromising the services that they use, such as airlines and telcos.** **Both Cadelle and Chafer are still active today and we don’t expect to see them end their** ----- **by these teams should adhere to the following advice:** **Ensure that software on computers and servers is being regularly updated to prevent** **known vulnerabilities from being exploited** **Treat unsolicited emails with suspicion. Targeted attacks frequently distribute malware** **through malicious links and attachments in emails.** **Keep security software up-to-date with the latest definitions** **Protection** **[Norton Security, Symantec Endpoint Protection, and other Symantec security products](https://us.norton.com/)** **protect users against these threats through the following detections:** **AV** **[Backdoor.Cadelspy](https://www.symantec.com/security_response/writeup.jsp?docid=2015-090808-1754-99)** **[Backdoor.Remexi](https://www.symantec.com/security_response/writeup.jsp?docid=2015-110911-3433-99)** **[Backdoor.Remexi.B](https://www.symantec.com/security_response/writeup.jsp?docid=2015-110911-4128-99)** **IPS** **[System Infected: Backdoor.Cadelspy Activity 2](http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28849)** **[System Infected: Backdoor.Remexi Activity](http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28967)** **Indicators of compromise** **[We have also compiled an indicators-of-compromise document containing further details](http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf)** **which can be used to help identify the threats if they are present in your environment.** **Tags: Security, Security Response, Endpoint Protection (AntiVirus), backdoor.cadelspy, backdoor.remexi,** **cadelle, chafer, espionage, Iran, middle east, Surveillance** **Subscriptions (0)** **Symantec Security Response** **View Profile** **[Login or Register to post comments.](https://www-secure.symantec.com/connect/user/login?destination=node%2F3551201)** ----- -----