Iran-based hacker groups have traditionally concentrated more on website defacement and DDoS attacks aimed at making a political statement, but as time passes, some of those groups and their attack methods and aims have evolved.
FireEye researchers have released a report on the activities of one such group – the Ajax Security Team – which started operating in 2010. The group started with the DDoSing and site defacements, but now, four years later, they have transitioned to malware-based espionage.
Their targets are US-based defense companies, as well as Iranian citizens that might be using popular Internet anti-censorship tools.
Their main aim is to make targets download information-stealing malware, and they do it by sending spear phishing emails and private messages via social media to lure targets to specially set up pages from which the malware – masquerading as some legitimate and helpful piece of software – is then downloaded.
The malware – dubbed by them “Stealer” – has several components, and gathers system information, takes screenshots, logs keystrokes, tracks credentials, bookmarks and history from major browsers, collects email account information, and more.
They are also after security credentials, so they often set up fake VPN login pages, Outlook Web Access login pages, and so on.
“The objectives of this group are consistent with Iran’s efforts at controlling political dissent and expanding offensive cyber capabilities, but we believe that members of the group may also be dabbling in traditional cybercrime,” the researchers commented.
“The capabilities of the Ajax Security Team remain unclear. This group uses at least one malware family that is not publicly available. We have not directly observed the Ajax Security Team use exploits to deliver malware, but it is unclear if they or other Iranian actors are capable of producing or acquiring exploit code.”
For more detailed information about the group’s members, tactics, and the malware and infrastructure they use, check out the full report.