FireEye has published a report (PDF) outlining sophisticated malware based espionage campaigns targeting U.S. defense organizations and Iranian dissidents. The group called “The Ajax Security Team” has been escalating their activities from website defacement to more targeted attacks with the goal of retrieving information from systems through custom developed malware.
The malware is delivered to targets through spearphishing methods via email and social media private messages, fake login pages and through anti-censorship/privacy applications infected with malware.
In FireEye’s investigation they found that in one case an email appearing to be for a IEEE Aerospace conference complete with the use of a fake domain “aeroconf2014.org” which brought the target to a website built by the attackers. The target would have to install an application for a “proxy server” to be infected. They also spoofed login pages for Outline, VPN and other services.
The campaign also appears to be targeting Iranians inside their borders, as anti-censorship tools used to get around Iranian ISP filtering as versions of legitimate anti-censorship software were planted with malware and distributed.
The malware used in the campaign has been termed “Stealer” malware. The executable is a CAB extractor file that drops IntelRS.exe. This file then drops additional components. The various components are designed to steal data from the target host. Data exfiltration is conducted via FTP by AppTransferWiz.dll which functions as an FTP client.
The malware was discovered to steal data from different parts of the system including:
- System info: Hostname, IP address, username, time stamp, open ports, applications installed, processes
- Key logging
- Instant messaging account information (Gtalk, Pidgin, Yahoo, Skype)
- Credentials from browsers (Chrome, Firefox, Opera), as well as bookmarks and history
- Email account information
- Proxy software configuration data
- Data from browser cookies
- Internet Explorer accounts
- Remote desktop accounts