Iraqi government networks have emerged as targets of an “elaborate” cyber attack campaign orchestrated by Iranian state-sponsored threat actors. Oil Rig.
Cybersecurity firm Check Point said in new analysis that the attacks targeted Iraqi institutions including the prime minister’s office and the foreign ministry.
OilRig, also known as APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten, is an Iranian cyber group with ties to the Iranian Ministry of Intelligence and Security (MOIS).
The group has been active since at least 2014 and has a history of conducting phishing attacks in the Middle East and stealing information by delivering a variety of custom backdoors, including Karkoff, Shark, Marlin, Saitama, MrPerfectionManager, PowerExchange, Solar, Mango and Menorah.
The latest attack campaign is no exception, using a new set of malware families called Veaty and Spearal that have the ability to execute PowerShell commands to collect files of interest.
“The toolset used in this targeted attack employs unique command and control (C2) mechanisms, including a custom DNS tunneling protocol and a customized email-based C2 channel,” Check Point said.
“The C2 channel uses compromised email accounts within the targeted organizations, indicating that the threat actors have gained access into the victim’s network.”
Some of the actions the threat actor took during and after the attack were consistent with tactics, techniques, and procedures (TTPs) used by OilRig when conducting similar operations in the past.
This involves the use of an email-based C2 channel, specifically leveraging previously compromised email mailboxes to issue commands and exfiltrate data, a technique common to several backdoors such as Karkoff, MrPerfectionManager, and PowerExchange.
The attack chain begins via a fake file disguised as a benign document (“Avamer.pdf.exe” or “IraqiDoc.docx.rar”) which, once launched, paves the way for the deployment of Veaty and Spearal, an infection vector that is said to likely include an element of social engineering.
These files initiate the execution of an intermediate PowerShell or Pyinstaller script, which then drops the malware executable and an XML-based configuration file that contains information about the C2 server.
“The Spearal malware is a .NET backdoor that utilizes DNS tunneling for (C2) communications,” Check Point said. “Data transferred between the malware and the C2 server is encoded into subdomains in DNS queries using a custom Base32 scheme.”
Spearal is designed to execute PowerShell commands, read and send file contents in the form of Base32 encoded data, and retrieve data from its C2 server and write it to files on the system.
Written in .NET, Veaty leverages email for C2 communications, with the end goal of downloading files and executing commands via specific mailboxes belonging to the gov-iq.net domain. The commands allow for the upload/download of files and the execution of PowerShell scripts.
Check Point said that after analyzing the threat actor’s infrastructure, it discovered additional XML configuration files that may be related to a third SSH tunneling backdoor.
Additionally, researchers identified CacheHttp.dll, an HTTP-based backdoor that targets Microsoft Internet Information Services (IIS) servers, checking for an “OnGlobalPreBeginRequest” event in incoming web requests and executing commands when the event occurs.
“The execution process starts by checking if the incoming HTTP request has a Cookie header and reads it up to the ; symbol,” Check Point said. “The main parameter is F=0/1, which indicates whether the backdoor should initialize a command configuration (F=1) or execute commands based on this configuration (F=0).”
The malicious IIS module is an evolution of malware classified as Group 2 by ESET in August 2021 and another APT34 IIS backdoor codenamed RGDoor, and supports command execution and file read/write operations.
“This attack on Iraqi government infrastructure highlights the continued and focused efforts of Iranian threat actors operating in the region,” it said.
“The deployment of a custom DNS tunneling protocol and email-based C2 channel leveraging compromised accounts highlights a deliberate effort by Iranian actors to develop and maintain specialized command and control mechanisms.”