Iraqi government networks have been targeted in an elaborate cyber attack campaign orchestrated by the Iran state-sponsored threat actor known as OilRig. The attacks focused on key Iraqi organizations, including the Prime Minister's Office and the Ministry of Foreign Affairs, utilizing advanced malware families Veaty and Spearal.
Key Takeaways
Target: Iraqi government networks, including the Prime Minister's Office and Ministry of Foreign Affairs.
Threat Actor: OilRig, also known as APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm, and Helix Kitten.
Malware Used: Veaty and Spearal, capable of executing PowerShell commands and harvesting files.
Command-and-Control (C2) Mechanisms: Custom DNS tunneling protocol and email-based C2 channels.
Infection Method: Deceptive files masquerading as benign documents, likely involving social engineering.
Background on OilRig
OilRig, also referred to as APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm, and Helix Kitten, is an Iranian cyber group associated with the Iranian Ministry of Intelligence and Security (MOIS). Active since at least 2014, the group has a history of conducting phishing attacks in the Middle East to deliver various custom backdoors for information theft.
Details of the Attack
The latest campaign involved the use of new malware families, Veaty and Spearal, which have capabilities to execute PowerShell commands and harvest files of interest. The toolset used in this targeted campaign employs unique command-and-control (C2) mechanisms, including a custom DNS tunneling protocol and a tailor-made email-based C2 channel.
The C2 channel uses compromised email accounts within the targeted organization, indicating that the threat actor successfully infiltrated the victim's networks. This modus operandi has been common to several backdoors such as Karkoff, MrPerfectionManager, and PowerExchange.
Infection Pathway
The attack chain is initiated via deceptive files masquerading as benign documents (e.g., "Avamer.pdf.exe" or "IraqiDoc.docx.rar"). When launched, these files pave the way for the deployment of Veaty and Spearal. The infection pathway likely involved an element of social engineering.
The files initiate the execution of intermediate PowerShell or Pyinstaller scripts that, in turn, drop the malware executables and their XML-based configuration files, which include information about the C2 server.
Technical Details of Veaty and Spearal
Spearal: A .NET backdoor that utilizes DNS tunneling for C2 communication. It can execute PowerShell commands, read file contents, and send data in the form of Base32-encoded data.
Veaty: Also written in .NET, it leverages emails for C2 communications with the goal of downloading files and executing commands via specific mailboxes belonging to the gov-iq.net domain.
Additional Findings
Check Point's analysis of the threat actor infrastructure led to the discovery of a different XML configuration file likely associated with a third SSH tunneling backdoor. They also identified an HTTP-based backdoor, CacheHttp.dll, that targets Microsoft's Internet Information Services (IIS) servers and examines incoming web requests for specific events to execute commands.
The malicious IIS module supports command execution and file read/write operations, representing an evolution of previously identified malware.
This campaign against Iraqi government infrastructure highlights the sustained and focused efforts of Iranian threat actors operating in the region. The deployment of a custom DNS tunneling protocol and an email-based C2 channel leveraging compromised accounts underscores the deliberate effort by Iranian actors to develop and maintain specialized command-and-control mechanisms.
Staying ahead of cyber threats requires constant vigilance and cutting-edge solutions. BetterWorld Technology provides comprehensive cybersecurity services that protect your business from data breaches, ransomware, and other cyberattacks. Our team offers proactive monitoring, threat detection, and rapid incident response to ensure your systems remain secure and your data is safe. Book a consultation with us now and let BetterWorld Technology strengthen your cybersecurity posture and defend your business from the ever-evolving threat landscape.
Sources
Iranian Cyber Group OilRig Targets Iraqi Government in Sophisticated Malware Attack, The Hacker News.