An “elaborate” cyberattack effort directed against Iraqi government networks has been detected. OilRig, a cyber group backed by the Iranian state, is responsible for the campaign.
According to recent research by cybersecurity firm Check Point, the attacks specifically targeted Iraqi institutions like the Ministry of Foreign Affairs and the Prime Minister’s Office.
Known by several aliases, including APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm (formerly known as EUROPIUM), and Helix Kitten, OilRig is a cyber outfit based in Iran that is connected to the MEA (Mois).
The gang has been active since at least 2014 and has a history of using phishing assaults in the Middle East to distribute custom backdoors, including Karkoff, Shark, Marlin, Saitama, MrPerfectionManager, PowerExchange, Solar, Mango, and Menorah, for the purpose of stealing confidential data.
Similar to previous campaigns, the most recent one uses a fresh family of malware called Veaty and Spearal, which have the ability to run PowerShell instructions and gather files of interest.
“The toolset used in this targeted campaign employs unique command-and-control (C2) mechanisms, including a custom DNS tunneling protocol and a tailor-made email-based C2 channel,” Check Point said.
“The C2 channel uses compromised email accounts within the targeted organization, indicating that the threat actor successfully infiltrated the victim’s networks.”
A portion of the cyber actor’s actions during and after the attack aligned with tactics, methods, and procedures (TTPs) that OilRig had previously used for operations of a similar nature.
This includes sending commands and exfiltrating data via email-based C2 channels, notably by using previously hacked email accounts. This method of operation has been shared by a number of backdoors, including PowerExchange, MrPerfectionManager, and Karkoff.
The assault is initiated via malicious files (“Avamer.pdf.exe” or “IraqiDoc.docx.rar”) that appear to be benign but really launch Veaty and Spearal when they are executed. It’s conceivable that social engineering played a part in the infection process.
The files launch intermediate PowerShell or Pyinstaller scripts, which drop the malware executables together with their XML-based configuration files, including C2 server details.
“The Spearal malware is a .NET backdoor that utilizes DNS tunneling for [C2] communication,” Check Point said. “The data transferred between the malware and the C2 server is encoded in the subdomains of DNS queries using a custom Base32 scheme.”
Spearal can read file contents and transfer them as Base32-encoded data, run PowerShell commands, and get data from the C2 server and write it to a system file.
Veaty, which is also written in.NET, uses emails for C2 interactions in order to download data and run instructions through designated mailboxes that are part of the gov-iq.net domain. It can run PowerShell scripts and upload and download files thanks to the commands.
A third SSH tunnelling backdoor is probably connected to a different XML configuration file that Check Point found during its investigation of the cyber actor infrastructure.
Additionally, it discovered CacheHttp.dll, an HTTP-based backdoor that targets Microsoft’s Internet Information Services (IIS) servers. It checks incoming requests for “OnGlobalPreBeginRequest” events and sends commands in response to these events.
“The execution process begins by checking if the cookie header is present in incoming HTTP requests and reads until the sign,” Check Point said. “The main parameter is F=0/1, which indicates whether the backdoor initializes its command configuration (F=1) or runs the commands based on this configuration (F=0).”
The malicious IIS module allows file read/write and command execution. It is an evolution of malware that ESET categorized as Group 2 in August 2021 and another APT34 IIS backdoor nicknamed RGDoor.
“This campaign against Iraqi government infrastructure highlights the sustained and focused efforts of Iranian cyber actors operating in the region,” the company said.
“The deployment of a custom DNS tunnelling protocol and an email-based C2 channel leveraging compromised accounts highlights the deliberate effort by Iranian actors to develop and maintain specialized command-and-control mechanisms.”
Also read: Unveiling the Ethical Imperatives: Navigating the Intersection of AI and Cybersecurity
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
