Threats Feed

Rana Intelligence Computing Company (APT39) is an Iranian front group for the Ministry of Intelligence and Security (MOIS) that conducts cyber operations in Asia, Africa, Europe and North America. Its primary targets include the travel, telecommunications, hospitality, academic, and government sectors. Rana used malware delivered via spearphishing, using Visual Basic, PowerShell, AutoIt scripts and BITS malware to steal data, track individuals and maintain persistence. Their campaign targeted over 15 US companies, using scheduled tasks, encryption and obfuscation techniques to evade detection. Rana also deployed Android malware with root access capabilities for C2 communications, audio recording, and photo capture.

The report provides a comprehensive analysis of a 64-bit backdoor executable associated with the Chafer APT group. The malware utilizes complex features such as process injection, task scheduling, and data obfuscation, along with automated exfiltration of information. It communicates with its C2 server via POST requests and employs encryption algorithms like RC4 and Blowfish to conceal its data and operations. Unusually, it masquerades by creating CAB files with non-standard prefixes and encrypting data in a manner that appears like a routine system operation.