Nazar APT Description
The Nazar hacking group is a recently uncovered APT (Advanced Persistent Threat). Malware researchers believe that this hacking group may be a part of the infamous APT37. The latter is a hacking group based in China, which also is known under the alias Emissary Panda. In 2017 there was a leak by the Shadow Brokers hacking group, which included some interesting details about the activity and hacking arsenal of the Nazar APT.
According to the Shadow Brokers leak, the Nazar hacking group has likely been active for a decade now – ever since 2010. Most of the targets of the Nazar APT appear to be located in Iran. In the ten years that the Nazar APT has been active, the hacking group has updated its arsenal of tools and has often switched their targets regularly. Among their newest hacking tools is the EYService backdoor Trojan, which is a threat that operates very silently and may avoid detection over prolonged periods. The EYService Trojan was used in the Nazar APT campaigns targeting Iranian victims. This threat is capable of collecting information, carrying out complex reconnaissance operations, and planting additional malware on the infected host. To avoid detection from some anti-malware solutions, the EYService malware’s payload has been obfuscated with the help of legitimate utilities, as well as publicly available hacking tools. This is a trick that numerous cyber crooks worldwide use.
Despite the fact that the Nazar hacking group has been active for over a decade, there is not much information available about their campaigns and targets. It would appear that this APT prefers to stay away from the limelight and threads carefully. It is likely that malware researchers will be able to find out more about these cyber crooks and their motivations in the future.