Home Security Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations

Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations

by


Nov 15, 2024Ravie LakshmananCyber Espionage / Malware

Cybersecurity researchers have shed light on a new remote access trojan and information stealer used by Iranian state-sponsored actors to conduct reconnaissance of compromised endpoints and execute malicious commands.

Cybersecurity company Check Point has codenamed the malware WezRat, stating it has been detected in the wild since at least September 1, 2023, based on artifacts uploaded to the VirusTotal platform.

“WezRat can execute commands, take screenshots, upload files, perform keylogging, and steal clipboard content and cookie files,” it said in a technical report. “Some functions are performed by separate modules retrieved from the command and control (C&C) server in the form of DLL files, making the backdoor’s main component less suspicious.”

WezRat is assessed to be the work of Cotton Sandstorm, an Iranian hacking group that’s better known under the cover names Emennet Pasargad and, more recently, Aria Sepehr Ayandehsazan (ASA).

Cybersecurity

The malware was first documented late last month by U.S. and Israeli cybersecurity agencies, describing it as an “exploitation tool for gathering information about an end point and running remote commands.”

Attack chains, per the government authorities, involve the use of trojanized Google Chrome installers (“Google Chrome Installer.msi”) that, in addition to installing the legitimate Chrome web browser, is configured to run a second binary named “Updater.exe” (internally called “bd.exe”).

The malware-laced executable, for its part, is designed to harvest system information and establish contact with a command-and-control (C&C) server (“connect.il-cert[.]net”) to await further instructions.

Check Point said it has observed WezRat being distributed to several Israeli organizations as part of phishing emails impersonating the Israeli National Cyber Directorate (INCD). The emails, sent on October 21, 2024, originated from the email address “alert@il-cert[.]net,” and urged recipients to urgently install a Chrome security update.

“The backdoor is executed with two parameters: connect.il-cert.net 8765, which represents the C&C server, and a number used as a ‘password’ to enable the correct execution of the backdoor,” Check Point said, noting that providing an incorrect password could cause the malware to “execute an incorrect function or potentially crash.”

Iranian State-Sponsored Group
Cybersecurity

“The earlier versions of WezRat had hard-coded C&C server addresses and didn’t rely on ‘password’ argument to run,” Check Point said. “WezRat initially functioned more as a simple remote access trojan with basic commands. Over time, additional features such as screenshot capabilities and a keylogger were incorporated and handled as separate commands.”

Furthermore, the company’s analysis of the malware and its backend infrastructure suggests there are at least two different teams who are involved in the development of WezRat and its operations.

“The ongoing development and refinement of WezRat indicates a dedicated investment in maintaining a versatile and evasive tool for cyber espionage,” it concluded.

“Emennet Pasargad’s activities target various entities across the United States, Europe, and the Middle East, posing a threat not only to direct political adversaries but also to any group or individual with influence over Iran’s international or domestic narrative.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex