• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2020-3956 – VMware Cloud Director updates address Vulnerability
May 21, 2020
Rewterz Threat Alert – COVID-19 GuLoader Spike
May 26, 2020

Rewterz Threat Alert – Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia

May 21, 2020

Severity

High

Analysis Summary

Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia in two different campaigns where likely the target of both campaigns was data exploration and exfiltration. In the Kuwait attack, threat actors created their own user account  and in the Saudi Arabia attack relied on social engineering to compromise victims 

Kuwait attack

The first signs of compromise were several reverse TCP files and PowerShell commands that executed some base64 compressed code, specific to the Metasploit framework. Once the victims were compromised, attackers started to bring reconnaissance tools for network scanning (“xnet. exe”, “shareo.exe”) and credential gathering (as “mnl.exe” or “mimi32.exe”) or tools with multiple functionalities, such as CrackMapExec (for users’ enumeration, share listing, credentials harvesting and so on). Once they gained a foothold inside the company, they started to install custom modules: a modified Plink (wehsvc.exe) installed as a service, as well as a backdoor (imjpuexa.exe), which was also executed as a service on some machines. 

Saudi Arabia attack

The initial compromise was achieved through social engineering. The RAT component was located in the %Download% folder, which is the default folder for any download process, while its parent process was actually explorer. exe; indicating that the user executed the malicious file. Also, the RAT was executed twice, with different names (“drivers.exe” and “drivers_x64.exe”). Internal network reconnaissance seems to have been performed using the “etblscanner.exe” tool. We also spotted the use of three different RAT components.

Impact

Data exfiltration

Indicators of Compromise

MD5

  • efbd849619aee8bd3429dd9ccb2a1995
  • dd9589b206791307d25e63d793c2ca31
  • dc5695024cd23c90883db145cb236490
  • d0e74da12c5e8d35f6db1ae0c60748b7
  • 894fd325751465d6f48c17106a1a91d1

SHA-256

  • 5ee9873c3c8684ac097bd28d3caf4264c6da6aa6acfeb8f6e72f1a99215a4be8
  • 710e32af0d41a6701d57337701b091b158add04a601b68cca67a808bdd87d881
  • d965352c6632e694b8f1f62f96874bd0df8d7c128c465ee9a76eb86ebddb0c02
  • 11dbfb390f7008524e523da7d0cda61723584082fc91ff96d1148c4aac6198a0
  • c839e886b98d2c752a134e888dad40799cd9966f8a73b51edc85ca2d72f99616
  • 144a160c57c2d429d072046edfdd1b44ff22bcae4f0535732f6c2b19190f2f35
  • 508ba7971b1f7651ba7d26815f75d66977820bd4eb3a615e3ab7079058d80380
  • f991cadf11c5075f0ed6f381dfdac311cf59480962debf8b874f95e9bee5c4f2
  • 021813c78cf31b0d7e77b40374347d8ed4e5a5ca69a7fc29bbc7bff969c09f3c
  • b297a0b2e775f096d9ebda6130abbb5ec59813c7703159ea191b47d7b7293e1e
  • a1f5c72721f9aa2ca29f1de7645a64b505c05dcd53dbdd7b9e904b1627c6d578
  • 98a9b2329eefe618daa78b6afed82cebf40cb918ad0aae7a8d7f59af4cb13b41

SHA1

  • aa0992ad9203168184a0f41e40ac901ec3f68afb
  • 1b3c5d8a2844b6e0c839a670065e59a7cee05474
  • 8eb9bfc25faf12ce359cef2fbddb8db4d9f5bfd7
  • b90205c684255ac11e0384af1fc7718573754f68
  • 06461f22ef82e993f055024891ff735c910421ad

Remediation

Block all threat indicators at your respective controls.
Always be suspicious about emails sent by unknown senders.
Never click on the links/attachments sent by unknown senders

  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.