A sophisticated cyber attack campaign has been launched against Iraqi government networks, according to a new analysis from cybersecurity firm Check Point. The attacks, attributed to the Iran-state sponsored threat actor OilRig (also known as APT34), targeted organizations such as the Prime Minister’s Office and the Ministry of Foreign Affairs.
The campaign employs a new set of malware families, dubbed Veaty and Spearal, which can execute PowerShell commands and harvest files of interest. The malware uses unique command-and-control (C2) mechanisms, including a custom DNS tunneling protocol and an email-based C2 channel that leverages compromised email accounts within the targeted organization.
The attack chain begins with deceptive files masquerading as benign documents, which, when launched, initiate the execution of intermediate PowerShell or Pyinstaller scripts that drop malware executables and their XML-configuration files. Spearal, a .NET backdoor, uses DNS tunneling for C2 communication, while Veaty leverages emails to communicate with compromised mailboxes.
The campaign also involves the use of an HTTP-based backdoor, CacheHttp.dll, which targets Microsoft’s Internet Information Services (IIS) servers and examines incoming web requests for “OnGlobalPreBeginRequest” events. The malicious IIS module supports command execution and file read/write operations, highlighting the evolution of a malware classified as Group 2 by ESET in August 2021.
“This campaign against Iraqi government infrastructure highlights the sustained and focused efforts of Iranian threat actors operating in the region,” Check Point said. “The deployment of a custom DNS tunneling protocol and an email-based C2 channel leveraging compromised accounts highlights the deliberate effort by Iranian actors to develop and maintain specialized command-and-control mechanisms.”
Source: https://thehackernews.com/2024/09/iranian-cyber-group-oilrig-targets.html?m=1