Targets of a sophisticated cyber assault campaign orchestrated by an Iranian state-sponsored threat actor known as OilRig now include Iraqi governmental networks.
As per a fresh examination by cybersecurity firm Check Point, the entities zeroed in on by the attacks are Iraqi organizations like the Prime Minister’s Office and the Ministry of Foreign Affairs.
Referred to as APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten, OilRig is an Iranian cyber syndicate linked to the Iranian Ministry of Intelligence and Security (MOIS).
In operation since at least 2014, the group has a history of executing phishing campaigns in the Middle East to distribute a range of bespoke backdoors such as Karkoff, Shark, Marlin, Saitama, MrPerfectionManager, PowerExchange, Solar, Mango, and Menorah for data exfiltration.
The current offensive follows a similar pattern, featuring a fresh lineup of malware families named Veaty and Spearal, designed to run PowerShell commands and collect specific files of interest.
“The toolset employed in this specific campaign utilizes unique command-and-control (C2) methods, which include a personalized DNS tunneling protocol and a specialized email-based C2 channel,” stated Check Point in its report.
“The C2 channel relies on compromised email accounts within the targeted organization, signifying that the threat actor has managed to infiltrate the victim’s networks successfully.”
Several strategies employed by the threat actor during and after the attack exhibit similarities with the tactics, techniques, and procedures (TTPs) habitually utilized by OilRig in prior operations.
These tactics include the use of email-based C2 channels, specifically leveraging previously compromised email accounts to issue commands and extract data. This operational approach has been observed across various backdoors like Karkoff, MrPerfectionManager, and PowerExchange.
The attack sequence starts with deceptive files disguised as innocuous documents (“Avamer.pdf.exe” or “IraqiDoc.docx.rar”) that, upon execution, open the door for the deployment of Veaty and Spearal. The propagation route is believed to have involved a component of social manipulation.
These files trigger intermediate PowerShell or Pyinstaller scripts, which subsequently drop the malware executables and their XML-based configuration files, containing details about the C2 server.
“The Spearal malware is a .NET backdoor that utilizes DNS tunneling for [C2] communication,” Check Point explained. “The information transmitted between the malware and the C2 server is encoded in the subdomains of DNS queries using a custom Base32 mechanism.”
Spearal is designed to implement PowerShell commands, read file contents, encode them in Base32, and transmit to the C2 server, where data is then saved in a system file.
Similarly coded in .NET, Veaty uses emails for C2 communication to download files and execute commands through specific mailboxes under the gov-iq.net domain. These commands enable actions like file uploads/downloads and execution of PowerShell scripts.
Check Point highlighted that its in-depth examination of the threat actor’s infrastructure uncovered a distinct XML configuration file likely linked to a third SSH tunneling backdoor.
Additionally, the researchers identified an HTTP-based backdoor, CacheHttp.dll, tailored to target Microsoft’s Internet Information Services (IIS) servers and scrutinize incoming web requests for “OnGlobalPreBeginRequest” events to trigger commands upon occurrence.
“The execution process begins by determining the presence of the Cookie header in incoming HTTP requests and reads until the; sign,” Check Point elaborated. “The primary parameter is F=0/1, indicating whether the backdoor initializes its command configuration (F=1) or executes commands based on this configuration (F=0).”
The malicious IIS module, representing an advancement of a malware identified as Group 2 by ESET in August 2021 and another APT34 IIS backdoor called RGDoor, provides support for executing commands and reading/writing files.
“This campaign against the Iraqi government infrastructure underscores the ongoing and targeted activities of Iranian threat actors in the region,” the firm emphasized.
“The adoption of a custom DNS tunneling protocol and an email-based C2 channel utilizing compromised accounts indicates the meticulously designed effort by Iranian operatives to establish and sustain specialized command-and-control mechanisms.”
About Author
