Iraqi authorities networks have emerged because the goal of an “elaborate” cyber assault marketing campaign orchestrated by an Iran state-sponsored menace actor referred to as OilRig.
The assaults singled out Iraqi organizations such because the Prime Minister’s Workplace and the Ministry of Overseas Affairs, cybersecurity firm Examine Level stated in a brand new evaluation.
OilRig, additionally referred to as APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm (previously EUROPIUM), and Helix Kitten, is an Iranian cyber group related to the Iranian Ministry of Intelligence and Safety (MOIS).
Energetic since at the very least 2014, the group has a observe file of conducting phishing assaults within the Center East to ship a wide range of customized backdoors akin to Karkoff, Shark, Marlin, Saitama, MrPerfectionManager, PowerExchange, Photo voltaic, Mango, and Menorah for data theft.
The most recent marketing campaign isn’t any exception in that it includes using a brand new set of malware households dubbed Veaty and Spearal, which include capabilities to execute PowerShell instructions and harvest recordsdata of curiosity.
“The toolset used in this targeted campaign employs unique command-and-control (C2) mechanisms, including a custom DNS tunneling protocol, and a tailor-made email based C2 channel,” Examine Level stated.
“The C2 channel uses compromised email accounts within the targeted organization, indicating that the threat actor successfully infiltrated the victim’s networks.”
Among the actions that the menace actor took in executing the assault, and following it, have been per ways, strategies, and procedures (TTPs) that OilRig has employed when finishing up related operations previously.
This contains using email-based C2 channels, particularly leveraging beforehand compromised electronic mail mailboxes to concern instructions and exfiltrate knowledge. This modus operandi has been widespread to a number of backdoors akin to Karkoff, MrPerfectionManager, and PowerExchange.
The assault chain is kicked off through misleading recordsdata masquerading as benign paperwork (“Avamer.pdf.exe” or “IraqiDoc.docx.rar”) that, when launched, pave the best way for the deployment of Veaty and Spearal. The an infection pathway is probably going stated to have concerned a component of social engineering.
The recordsdata provoke the execution of intermediate PowerShell or Pyinstaller scripts that, in flip, drop the malware executables and their XML-based configuration recordsdata, which embrace details about the C2 server.
“The Spearal malware is a .NET backdoor that utilizes DNS tunneling for [C2] communication,” Examine Level stated. “The data transferred between the malware and the C2 server is encoded in the subdomains of DNS queries using a custom Base32 scheme.”
Spearal is designed to execute PowerShell instructions, learn file contents and ship it within the type of Base32-encoded knowledge, and retrieve knowledge from the C2 server and write it to a file on the system.
Additionally written .NET, Veaty leverages emails for C2 communications with the top aim of downloading recordsdata and executing instructions through particular mailboxes belonging to the gov-iq.web area. The instructions permit it to add/obtain recordsdata and run PowerShell scripts.
Examine Level stated its evaluation of the menace actor infrastructure led to the invention of a unique XML configuration file that is doubtless related to a 3rd SSH tunneling backdoor.
It additional recognized an HTTP-based backdoor, CacheHttp.dll, that targets Microsoft’s Web Info Providers (IIS) servers and examines incoming internet requests for “OnGlobalPreBeginRequest” occasions and executes instructions after they happen.
“The execution process begins by checking if the Cookie header is present in incoming HTTP requests and reads until the; sign,” Examine Level stated. “The main parameter is F=0/1 which indicates whether the backdoor initializes its command configuration (F=1) or runs the commands based on this configuration (F=0).”
The malicious IIS module, which represents an evolution of a malware categorized as Group 2 by ESET in August 2021 and one other APT34 IIS backdoor codenamed RGDoor, helps command execution and file learn/write operations.
“This campaign against Iraqi government infrastructure highlights the sustained and focused efforts of Iranian threat actors operating in the region,” the corporate stated.
“The deployment of a custom DNS tunneling protocol and an email-based C2 channel leveraging compromised accounts highlights the deliberate effort by Iranian actors to develop and maintain specialized command-and-control mechanisms.”