Threats Feed

The ReversingLabs analysis, based on an FBI report, reveals that the Iranian-backed APT39 (Rana Corp) is using Android malware for state-sponsored surveillance, primarily targeting individuals deemed a threat by the Iranian government. The malware exploits smartphone features such as the camera and microphone to spy on users. It can intercept SMS, record audio, take photos and manipulate network connections. Obfuscation techniques were used, but analysis of an older sample revealed key capabilities for remote monitoring and control. The malware specifically monitors Iranian messaging apps, suggesting domestic surveillance. Targeted sectors include political dissidents and individuals of interest within Iran.

Rana Intelligence Computing Company (APT39) is an Iranian front group for the Ministry of Intelligence and Security (MOIS) that conducts cyber operations in Asia, Africa, Europe and North America. Its primary targets include the travel, telecommunications, hospitality, academic, and government sectors. Rana used malware delivered via spearphishing, using Visual Basic, PowerShell, AutoIt scripts and BITS malware to steal data, track individuals and maintain persistence. Their campaign targeted over 15 US companies, using scheduled tasks, encryption and obfuscation techniques to evade detection. Rana also deployed Android malware with root access capabilities for C2 communications, audio recording, and photo capture.

The report provides a comprehensive analysis of a 64-bit backdoor executable associated with the Chafer APT group. The malware utilizes complex features such as process injection, task scheduling, and data obfuscation, along with automated exfiltration of information. It communicates with its C2 server via POST requests and employs encryption algorithms like RC4 and Blowfish to conceal its data and operations. Unusually, it masquerades by creating CAB files with non-standard prefixes and encrypting data in a manner that appears like a routine system operation.