Cybersecurity researchers have make clear a brand new distant entry trojan and data stealer utilized by Iranian state-sponsored actors to conduct reconnaissance of compromised endpoints and execute malicious instructions.
Cybersecurity firm Test Level has codenamed the malware WezRat, stating it has been detected within the wild since at the least September 1, 2023, primarily based on artifacts uploaded to the VirusTotal platform.
“WezRat can execute commands, take screenshots, upload files, perform keylogging, and steal clipboard content and cookie files,” it stated in a technical report. “Some functions are performed by separate modules retrieved from the command and control (C&C) server in the form of DLL files, making the backdoor’s main component less suspicious.”
WezRat is assessed to be the work of Cotton Sandstorm, an Iranian hacking group that is higher recognized beneath the quilt names Emennet Pasargad and, extra not too long ago, Aria Sepehr Ayandehsazan (ASA).
The malware was first documented late final month by U.S. and Israeli cybersecurity companies, describing it as an “exploitation tool for gathering information about an end point and running remote commands.”
Assault chains, per the federal government authorities, contain using trojanized Google Chrome installers (“Google Chrome Installer.msi”) that, along with putting in the legit Chrome net browser, is configured to run a second binary named “Updater.exe” (internally referred to as “bd.exe”).
The malware-laced executable, for its half, is designed to reap system data and set up contact with a command-and-control (C&C) server (“connect.il-cert[.]net”) to await additional directions.
Test Level stated it has noticed WezRat being distributed to a number of Israeli organizations as a part of phishing emails impersonating the Israeli Nationwide Cyber Directorate (INCD). The emails, despatched on October 21, 2024, originated from the e-mail tackle “alert@il-cert[.]net,” and urged recipients to urgently set up a Chrome safety replace.
“The backdoor is executed with two parameters: connect.il-cert.net 8765, which represents the C&C server, and a number used as a ‘password’ to enable the correct execution of the backdoor,” Test Level stated, noting that offering an incorrect password might trigger the malware to “execute an incorrect function or potentially crash.”
“The earlier versions of WezRat had hard-coded C&C server addresses and didn’t rely on ‘password’ argument to run,” Test Level stated. “WezRat initially functioned more as a simple remote access trojan with basic commands. Over time, additional features such as screenshot capabilities and a keylogger were incorporated and handled as separate commands.”
Moreover, the corporate’s evaluation of the malware and its backend infrastructure suggests there are at the least two completely different groups who’re concerned within the improvement of WezRat and its operations.
“The ongoing development and refinement of WezRat indicates a dedicated investment in maintaining a versatile and evasive tool for cyber espionage,” it concluded.
“Emennet Pasargad’s activities target various entities across the United States, Europe, and the Middle East, posing a threat not only to direct political adversaries but also to any group or individual with influence over Iran’s international or domestic narrative.”
