Symantec has uncovered Cadelle and Chafer groups, two Iran-based hacking teams that are tracking dissidents and activists.

According to a new report published by Symantec. Iranian hackers have been using malware to track individuals, including Iranian activists and dissidents.

The researchers have identified two groups of Iran-based hackers, dubbed Cadelle and Chafer, which were distributing data stealer malware since at least mid-2014. The experts uncovered the command-and-control servers explaining that registration details indicate the Iranian hackers may have been operating since 2011.

There are a number of indicators that suggest both groups are based in Iran, the Cadelle and Chafer teams are most active during the day time within Iran’s time zone and primarily operate during Iran’s business week (Saturday through Thursday).

“Two Iran-based attack groups that appear to be connected, Cadelle and Chafer, have been using Backdoor.Cadelspy and Backdoor.Remexi to spy on Iranian individuals and Middle Eastern organizations.”  states a report published by Symantec.

The hackers used custom-made malware that isn’t particularly sophisticated, the attackers remained under the radar for a long time and gained access to “an enormous amount of sensitive information.”

Let’s give a close look to the malware used by the Iran-based hackers, Cadelle uses a piece of malware called backdoor.cadellespy, meanwhile Chafer relies uses on the backdoor.remexi.

The researchers collected evidence to suggest that the two teams may be connected, Chafer was used to compromise web servers, likely through SQL injection attacks, to drop Backdoor.Remexi onto targeted systems. The Remexi botnet was used to gain control over the victim’s PC stealing user login credentials to use in lateral movements.

The analysis of Cadelspy’s file strings revealed that some dates use the Solar Hijri calendar format, a format very common in Afghanistan and Iran.

Most of affected organizations are based in the Middle East region in countries such as Saudi Arabia and Afghanistan, while one of the victim organization is located in the US.

Both groups are small, the experts at Symantec speculate they are composed of five to 10 people, but they don’t share the same attack infrastructure.

“The Cadelle and Chafer groups also keep the same working hours and focus on similar targets. However, no sharing of C&C infrastructure between the teams has been observed.” reads the report.

“If Cadelle and Chafer are not directly linked, then they may be separately working for a single entity. Their victim profile may be of interest to a nation state.”

Another interesting aspect related to the two Iran-based groups, is that several machines resulted infected with both Cadelyspy and Remexi malware, and the infections occurred within minutes of one another.

“One computer that was infected with both Cadelspy and Remexi was a system that ran a SIM card editing application,” Symantec wrote. “Other compromised computers included those belonging to web developers or are file and database servers.”

The malware also targeted people using anonymous proxies, used by activists and dissidents to hide their identity online and avoid censorship.

“Reports have shown that many Iranians avail of these services to access sites that are blocked by the government’s Internet censorship,” Symantec wrote. “Dissidents, activists, and researchers in the region may use these proxies in an attempt to keep their online activities private.”

Symantec confirmed that Cadelle and Chafer are still active today and will continue their operations.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Cadelle and Chafer, Iran-based hackers)

[adrotate banner=”5″]

[adrotate banner=”13″]