The Remexi spyware has been improved and retooled.
An Iran-linked APT known as Chafer has been targeting various entities based in Iran with an enhanced version of a custom malware. Meanwhile the victimology suggests the threat group is waging a cyber-espionage operation against diplomats there.
Over the course of the autumn, analysts at Kaspersky Lab observed attackers targeting embassies using an improved version of the Remexi malware, which Chafer has used in the past. It’s a spyware, capable of exfiltrating keystrokes, screenshots and browser-related data like cookies and history.
Remexi developers used the C programming language and the GCC compiler on Windows in the MinGW environment to create the latest version of the malware (which has a March 2018 time stamp).