Malware Profile Updated 2 months ago
Download STIX
Preview STIX
Remexi is a malware that was first reported by Symantec in 2015, being used by Iran-based attackers for cyber espionage operations in the Middle East. Developed using the C programming language and GCC compiler on Windows in the MinGW environment, Remexi is a backdoor Trojan that enables attackers to open a remote shell on a computer and execute commands. The malware uses the Microsoft Background Intelligent Transfer Service (BITS) mechanism for both receiving command and control (C2) commands and exfiltrating data over HTTP. Despite extensive telemetry, there's no concrete evidence yet as to how Remexi propagates. The malware boasts features such as gathering keystrokes, taking screenshots of windows of interest, stealing credentials and browser history, and executing remote commands. It deploys various modules in its working directory, including configuration decryption and parsing, launching victim activity logging in a separate module, and seven threads for different espionage and auxiliary functions. Interestingly, the developers of Remexi seem to rely heavily on legitimate Microsoft utilities. Remexi has been associated with an Advanced Persistent Threat (APT) actor known as Chafer. In some instances, it was found in systems alongside another threat, Cadelspy, although Remexi contains fewer features than Cadelspy. Among more than a dozen entities that experienced Cadelspy and Remexi infections, four were compromised with both threats at some stages, sometimes within a small time window. One notable case involved a system running a SIM card editing application. Chafer uses Remexi to gather usernames and passwords to help it spread further across networks. This suggests that an improved version of Remexi might be part of a domestic cyber-espionage operation.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Cadelspy is a type of malware that has recently been infecting computers, compromising their security and stealing sensitive data. The malware infiltrates the system as a dropper, downloading two installer components based on whether the victim's system is 32-bit or 64-bit. Once inside, it executes
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Chafer, also known as APT39 or Helix Kitten, is an Advanced Persistent Threat (APT) actor linked to Iran and has been actively tracked by cybersecurity firms such as Symantec and FireEye for over four years. Chafer's activities primarily involve utilizing open-source tools to target entities perceiv
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Remexi Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
a year ago
Endpoint Protection - Symantec Enterprise
a year ago
Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities