14 DAY TRIAL // Two hacking groups that fit the profile of state-sponsored threats are using backdoors to spy on targets in Iran and other nations in the Middle East, a Symantec threat report reveals.
The two groups are codenamed Cadelle and Chafer, and Symantec says that they don't seem to be connected.
Each group has between five and ten members, and each has its own custom-developed backdoor. Cadelle uses Backdoor.Cadelle, while Symantec detected Chafer using trojans like Backdoor.Remexi and Backdoor.Remexi.B.
Both Backdoor.Cadelle and Backdoor.Remexi are powerful backdoors, capable of opening connections and helping the attackers steal data from infected systems.
Symantec says that both are targeting political dissidents from Iran and airports and telecommunications companies from other Middle East countries. The purpose of their actions may be to watch and keep an eye on the movements of selected targets.
Even if the two groups don't share any of their technical infrastructures, the researchers claim that some of their targets do overlap.
Detected in 2014, may have been active before that
Security researchers say that first attacks using these backdoors were seen in July 2014, but clues in each backdoor's code reveal they might have been used as early as 2011, when the C&C domain names were registered, or in 2012, the earliest executable compilation times.
While Symantec has no details on how Cadelle is infecting their targets, they say that Chafer is using SQL injections to compromise servers and drop Backdoor.Remexi.
Once on infected targets, both backdoors can be used to gather and steal passwords, intercept document print commands, record audio via infected devices, take screengrabs, record webcam feeds, log keystrokes, log opened applications, and gather system and clipboard information.
For some targets, some of the backdoors managed to remain undetected for over a year. Symantec says that the two groups are still very active.
