Iranian APT attacks critical infrastructure in Kuwait and Saudi Arabia
Bitdefender experts have reported a malicious cyber espionage campaign organized by the cybercrime group Chafer APT (also known as APT39 or Remix Kitten). Criminals previously attacked the telecommunications and tourism industries in the Middle East in order to collect confidential information that serves the country's geopolitical interests. According to experts, some cyberattacks date back to 2018.
APT39 attacks its targets through phishing emails with malicious attachments and using a variety of backdoors to increase privileges, conduct internal intelligence and ensure persistence.
During attacks on companies and organizations in Kuwait, criminals created a user account on victims' computers and carried out malicious actions on the network, including scanning the network using the CrackMapExec tool to test the Windows / Active Directory environment, collecting user credentials using the Mimikatz tool , and moving around the network. As experts noted, most of the criminal activity was carried out on Friday and Saturday, coinciding with the weekend in the Middle East.
An attack on organizations in Saudi Arabia included the use of social engineering to trick a victim and launch a Remote Access Tool (RAT). One of the detected components, “snmp.exe”, is also present on some victims' systems in Kuwait under the name “imjpuexa.exe”, indicating the connection between these attacks.