The Iranian hacking group, which calls itself the “Ajax Security Team”, was quite famous from last few years for websites defacement attacks, and then suddenly they went into dark since past few months. But that doesn't mean that the group was inactive, rather defacing the websites, the group was planning something bigger.
The Group of hackers at Ajax Security Team last defaced a website in December 2013 and after that it transitioned to sophisticated malware-based espionage campaigns in order to target U.S. defense organizations and Iranian dissidents, according to the report released by FireEye researchers.
“The transition from patriotic hacking to cyber espionage is not an uncommon phenomenon. It typically follows an increasing politicization within the hacking community, particularly around geopolitical events,” researchers Nart Villeneuve, Ned Moran, Thoufique Haq and Mike Scott wrote in the report. “This is followed by increasing links between the hacking community and the state, particularly military and/or intelligence organizations.”
The security firm has been tracking the activities of the hacking group on online forums and identified some of the group's prominent members by their screen names, "HUrr1c4nE!" and "Cair3x."
FireEye found that the Ajax Security Team appeared to be formed in 2010, have stopped the website defacement attacks and started more targeted attacks with the aim to retrieve the information from systems through their own custom designed malware.
The group dubbed the malware as ‘Stealer,’ which isn't particularly much advanced like the malwares are today, still very effective and sophisticated.
Stealer uses common techniques to steal credential data and is built into a CAB extractor. Once activated, the extractor drop a malware called IntelRS.exe, which adds a backdoor to the target system that communicates with command-and-control servers over FTP, keylogger and screenshot-grabbing tools.
The malware has capability to steal browser information such as bookmarks and history and also collects system information such as running processes, IP addresses and many more.
In the report titled “Operation Saffron Rose”, the malware campaign disclosed that the team used email, inbox messages over various social networks, fake login pages and the propagation of anti-censorship software infected with malware to lure targets into installing malicious software and revealing credentials from their machines.
In one case, the group targeted the Western Defense companies, particularly those in the Aerospace industry, using a fake registration page impersonating the IEEE Aerospace conference. In order to do this, first the group registered the domain aeroconf2014[.]org, similar to the legitimate conference domain, and then sent out emails to companies in the field with a link to their fake site.
Once they visited the site and tries to register themselves for the conference, they would be prompted to install proxy software in order to access the website. But, the software was actually a Stealer malware, FireEye said.
In addition to it, the attackers also used phishing emails to grab credentials for a variety of online services such as Outlook Web Access and VPN logins.
“The increased politicization of the Ajax Security Team, and the transition from nuisance defacements to operations against internal dissidents and foreign targets, coincides with moves by Iran aimed at increasing offensive cyber capabilities,” the security firm concluded. “While the relationship between actors such as the Ajax Security Team and the Iranian government remains unclear, their activities appear to align with Iranian government political objectives.”
The researcher also discovered a command-and-control server used by the group to store victims’ stolen data and recovered the data of 77 infected victims targeted by the group. Most of the victims had their computers set to Iran's time zone and Persian language. The firm also unearthed evidence the group targeted U.S. defense contractors.
FireEye states that the objectives of Ajax team are apparently consistent with the efforts of Iranian government to control political opposition and to expand its offensive cyber capabilities.