A malicious 64-bit program was identified that attempts to install itself on computer systems to secretly communicate with an attacker. Once running, it sets up hidden folders, reaches out to a remote server for instructions, and runs hidden commands on the infected computer.

Who was behind the attack?

The provided technical report focuses solely on how the malware functions and does not attribute the software to a specific threat actor, hacking group, or country.

What is the nature and goals of the attack?

The primary goal of this malware is to gain unauthorized, hidden control over a system. It is designed to secretly receive commands from attackers, execute those commands to gather system information or data, and quietly send the results back out to the attacker's server.

Were specific industries or people targeted?

The source report does not contain information regarding the specific victims, industries, or the broader scope of the targeting campaign. It is a technical breakdown of the malware's internal mechanics.

How was the attack carried out from a high-level perspective?

The malware requires administrator rights to run properly. Once it has those rights, it disguises itself as a background system service, creates temporary folders to hold data, and uses strong, custom encryption to hide both its communications and the data it steals.

Why might the targeted entities be attractive to attackers?

While the report doesn't specify the victims, the malware's design—requiring administrative control and featuring complex methods to hide the data it collects—suggests the attackers are looking to maintain long-term access to highly sensitive or valuable network environments.

What actions should organizations take to protect themselves?

Organizations should ensure that users do not have unnecessary administrator rights, as this malware relies on them to run. Defenders should also update their security software to look for the specific fake file headers (like "TREX") and unusual network traffic patterns described in the analysis.

Is this a widespread issue or a targeted one?

The provided documentation does not specify the scale of the threat. It details the technical behavior of the file rather than the overall spread of the campaign.

Threats Feed|Chafer|Last Updated 09/03/2026|AuthorCertfa Radar|Publish Date21/03/2019

The Invisible Threat: Chafer's Advanced Backdoor Malware Analysis

Actor Motivations: Exfiltration
Attack Vectors: Backdoor,Malware
Attack Complexity: Medium
Threat Risk: Unknown

Threat Overview

The report provides a comprehensive analysis of a 64-bit backdoor executable associated with the Chafer APT group. The malware utilizes complex features such as process injection, task scheduling, and data obfuscation, along with automated exfiltration of information. It communicates with its C2 server via POST requests and employs encryption algorithms like RC4 and Blowfish to conceal its data and operations. Unusually, it masquerades by creating CAB files with non-standard prefixes and encrypting data in a manner that appears like a routine system operation.

Reference and Credit: NCC Group - March 2019

Chafer backdoor analysis

Extracted IOCs

nvidia-services[.]com
sabre-css[.]com
12f79030e73030e127ae3ec5ab16b51cd5f7812e786e6d23fc54b5820f5f3064
b30eb3173b7241e851bad230a472f05cb2313c24b89eade88a8cb19793d89f66
bc32bf55e841052a095c27cea558577fa947fdf8b7d95beca0c5725dbd00324d
d3ecd0e5f6dd6b6fa1e8fdad7e0ec9b1020e5bb0b9e64f76d2148f1b24ca7779

download

Tip: 6 related IOCs (0 IP, 2 domain, 0 URL, 0 email, 4 file hash) to this threat have been found.

Overlaps

ITG07Unveiling TREKX: ITG07's Weapon of Choice for Intrusion in the Transportation Sector

Source: IBM Security Intelligence - June 2019

Detection (two cases): nvidia-services[.]com, sabre-css[.]com

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

64-Bit Service Malware Analysis

: A malicious 64-bit program was identified that attempts to install itself on computer systems to secretly communicate with an attacker. Once running, it sets up hidden folders, reaches out to a remote server for instructions, and runs hidden commands on the infected computer.
: The provided technical report focuses solely on how the malware functions and does not attribute the software to a specific threat actor, hacking group, or country.
: The primary goal of this malware is to gain unauthorized, hidden control over a system. It is designed to secretly receive commands from attackers, execute those commands to gather system information or data, and quietly send the results back out to the attacker's server.
: The source report does not contain information regarding the specific victims, industries, or the broader scope of the targeting campaign. It is a technical breakdown of the malware's internal mechanics.
: The malware requires administrator rights to run properly. Once it has those rights, it disguises itself as a background system service, creates temporary folders to hold data, and uses strong, custom encryption to hide both its communications and the data it steals.
: While the report doesn't specify the victims, the malware's design—requiring administrative control and featuring complex methods to hide the data it collects—suggests the attackers are looking to maintain long-term access to highly sensitive or valuable network environments.
: Organizations should ensure that users do not have unnecessary administrator rights, as this malware relies on them to run. Defenders should also update their security software to look for the specific fake file headers (like "TREX") and unusual network traffic patterns described in the analysis.
: The provided documentation does not specify the scale of the threat. It details the technical behavior of the file rather than the overall spread of the campaign.

About Affiliation

Chafer

Associate threats

Chafer's Rising Ambitions: New Tools and Tactics in the Cyber Threat Landscape