Remexi

Remexi is a malware that was first reported by Symantec in 2015, being used by Iran-based attackers for cyber espionage operations in the Middle East. Developed using the C programming language and GCC compiler on Windows in the MinGW environment, Remexi is a backdoor Trojan that enables attackers to open a remote shell on a computer and execute commands. The malware uses the Microsoft Background Intelligent Transfer Service (BITS) mechanism for both receiving command and control (C2) commands and exfiltrating data over HTTP. Despite extensive telemetry, there's no concrete evidence yet as to how Remexi propagates. The malware boasts features such as gathering keystrokes, taking screenshots of windows of interest, stealing credentials and browser history, and executing remote commands. It deploys various modules in its working directory, including configuration decryption and parsing, launching victim activity logging in a separate module, and seven threads for different espionage and auxiliary functions. Interestingly, the developers of Remexi seem to rely heavily on legitimate Microsoft utilities. Remexi has been associated with an Advanced Persistent Threat (APT) actor known as Chafer. In some instances, it was found in systems alongside another threat, Cadelspy, although Remexi contains fewer features than Cadelspy. Among more than a dozen entities that experienced Cadelspy and Remexi infections, four were compromised with both threats at some stages, sometimes within a small time window. One notable case involved a system running a SIM card editing application. Chafer uses Remexi to gather usernames and passwords to help it spread further across networks. This suggests that an improved version of Remexi might be part of a domestic cyber-espionage operation.