The Republic of Iraq government networks have surfaced as the target of a “sophisticated” cyber offense orchestrated by an Iran state-backed cyber threat group known as OilRig.
The assaults specifically targeted Republic of Iraq entities such as the Office of the Prime Minister and the Department of External Affairs, according to an updated examination by cybersecurity firm Check Point.
OilRig, also identified as APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm (previously EUROPIUM), and Helix Kitten, is an Iranian cyber collective linked with the Iranian Ministry of Intelligence and Security (MOIS).
In operation since at least 2014, the collective has a history of carrying out phishing attacks in the Middle East to distribute a range of personalized entrances such as Karkoff, Shark, Marlin, Saitama, MrPerfectionManager, PowerExchange, Solar, Mango, and Menorah for data theft.
The latest operation follows the same pattern in that it involves the utilization of a fresh array of malware lineages dubbed Veaty and Spearal, both armed with the capability to execute PowerShell instructions and collect specific files.
“The toolset utilized in this aimed campaign includes distinctive command-and-control (C2) mechanisms, which consist of a bespoke DNS tunneling protocol and a personalized email-based C2 channel,” stated Check Point in a statement.
“The C2 channel employs compromised email accounts within the specific organization, indicating that the threat party has efficiently penetrated the victim’s networks.”
Several actions taken by the threat party during the attack, and in its aftermath, were in line with strategies, tactics, and methodologies (TTPs) that OilRig has utilized in previous operations of a similar nature.
This includes the utilization of email-based C2 channels, especially leveraging previously compromised email inboxes to issue instructions and move data outside. This operating method has been recurrent in various entrances such as Karkoff, MrPerfectionManager, and PowerExchange.
The attack procedure commences through deceptive files posing as harmless files (“Avamer.pdf.exe” or “IraqiDoc.docx.rar”) that, on execution, open the gateway for the deployment of Veaty and Spearal. The infection path is speculated to have incorporated an aspect of social engineering.
The files trigger the execution of intermediary PowerShell or Pyinstaller scripts that, consequently, unload the malware executables and their XML-based setup files, containing information concerning the C2 server.
“The Spearal malware works as a .NET entrance using DNS tunneling for [C2] communication,” Check Point elucidated. “The data exchanged between the malware and the C2 server is encoded in the subdomains of DNS inquiries employing a customized Base32 scheme.”
Spearal is designed to implement PowerShell instructions, read file contents and send it in the form of Base32-encoded data, and retrieve data from the C2 server and inscribe it to a file on the system.
Also constructed in .NET, Veaty harnesses emails for C2 correspondence with the ultimate objective of downloading files and executing instructions using particular mailboxes associated with the gov-iq.net domain. The instructions permit it to upload/download files and run PowerShell scripts.
Check Point disclosed that its evaluation of the threat party infrastructure led to the unearthing of an alternative XML setup file likely linked with a third SSH tunneling entrance.
Additionally, it detected an HTTP-based entrance, CacheHttp.dll, targeting Microsoft’s Internet Information Services (IIS) servers, analyzing incoming web requests for “OnGlobalPreBeginRequest” occurrences and executing instructions upon their happening.
“The execution procedure initiates by examining if the Cookie header is present in incoming HTTP requests and reads until the; symbol,” mentioned Check Point. “The primary parameter is F=0/1 which indicates whether the backdoor initializes its command configuration (F=1) or operates the instructions based on this configuration (F=0).”
The malevolent IIS module, which symbolizes an advancement of a malware categorized as Group 2 by ESET in August 2021 along with another APT34 IIS entrance termed RGDoor, supports the execution of instructions and read/write operations.
“This operation against Republic of Iraq government infrastructure underscores the steady and targeted endeavors of Iranian threat actors operating in the area,” the firm conveyed.
“The deployment of a personalized DNS tunneling protocol and an email-based C2 channel leveraging compromised accounts showcases the intentional efforts by Iranian actors to evolve and uphold specialized command-and-control mechanisms.”
About Author
