Follow on X RSS Feed
Malware

Iranian Hackers Deploy WezRat in Targeted Phishing Campaigns

Cybersec Sentinel

2 min read
Iranian Hackers Deploy WezRat in Targeted Phishing Campaigns

Threat Group: - Emennet Pasargad (Cotton Sandstorm)
Threat Type: - Remote Access Trojan (RAT) / Infostealer
Exploited Vulnerabilities: - Social engineering through phishing campaigns
Malware Used: - WezRat
Threat Score: - High (8.5/10) — Due to its modular design, advanced espionage capabilities, and targeted nature.
Last Threat Observation: - November 16 2024.

Overview

WezRat is a sophisticated and evolving Remote Access Trojan (RAT) attributed to the Iranian state-sponsored group Emennet Pasargad, also known as Cotton Sandstorm. The malware, active for over a year, has been used in targeted attacks across multiple countries, including Israel, the United States, France, and Sweden. Initially distributed via phishing campaigns, WezRat combines capabilities like information theft and system control, making it a versatile tool for espionage and cyber intrusions.

The most recent campaign impersonated the Israeli National Cyber Directorate (INCD) and distributed WezRat as part of a fake Chrome security update. This demonstrates the threat actors' ability to adapt and refine their delivery mechanisms and operational infrastructure.

Key Details

Delivery Method:

  • Phishing emails masquerading as urgent communications from INCD with fake security update installers.

Targeted Countries:

  • Israel, United States, France, Sweden

Functions:

  • Execute arbitrary commands
  • Capture screenshots
  • Upload and download files
  • Keylogging
  • Stealing clipboard content and browser cookies

Obfuscation:

  • Utilizes modular architecture with separate components downloaded from a C&C server in DLL format.

Industry Targeted:

  • Government and critical infrastructure

Attack Vectors

WezRat is disseminated through phishing campaigns designed to deceive recipients into believing they are receiving official security updates. Recent attacks involved emails originating from addresses like “alert@il-cert[.]net.” These emails prompted victims to install a Chrome update that delivered both the legitimate browser and the malicious WezRat payload.

Once executed, WezRat establishes communication with a command and control (C&C) server at “connect.il-cert[.]net,” which it uses to receive instructions and transmit stolen data.

Known Indicators of Compromise (IoCs)

FileHash-MD5

  • 6b0d7b2e[.]422a93e8[.]1ceed364[.]5d36dd40

FileHash-SHA256

  • 4431b2a4[.]d7758907[.]f81fb1a0[.]c1e36b2c[.]e03e08d4[.]3123b1c3[.]98487770[.]afd20727
  • 5c03ac71[.]28fb6e8a[.]d923897e[.]3696e08c[.]943f4c81[.]9e5c1bdb[.]e3df2b57[.]74692d3d
  • 66b08e55[.]d11f4949[.]3118e8a6[.]cab1bb5f[.]1953b2a4[.]784a38c6[.]4cf7ed02[.]bf781713
  • 898595a6[.]646b94f9[.]735442ae[.]65deb5f5[.]364eddf2[.]a7008f66[.]e9d7ee8b[.]6c08c285
  • b96fad26[.]fba19730[.]2fd11e17[.]71e99638[.]7b7b23c2[.]560e08f2[.]0c69069e[.]173c7fa7
  • cf12b204[.]3a057298[.]39a29ff4[.]bd23b408[.]8888da11[.]53ca8104[.]0a6c0484[.]17254a36
  • e37b95bb[.]9bee64cc[.]0313eaad[.]8a026949[.]3745f894[.]13bd78b5[.]8bb3b479[.]b36084ae

IP Addresses

  • 194[.]11[.]226[.]9
  • 194[.]4[.]49[.]175
  • 45[.]120[.]177[.]8
  • 45[.]143[.]167[.]87

Domains

  • il-cert[.]net
  • il-cert[.]org[.]il
  • onlinelive[.]info

Mitigation and Prevention

  1. User Awareness:
    • Conduct regular training on recognizing phishing emails, especially those impersonating security authorities.
  2. Email Filtering:
    • Implement robust email filtering mechanisms to detect and block phishing attempts.
  3. Endpoint Protection:
    • Ensure endpoints are protected with up-to-date antivirus and endpoint detection and response (EDR) solutions.
  4. Two-Factor Authentication (2FA):
    • Require 2FA for all critical accounts and services to reduce unauthorized access risks.
  5. System Monitoring:
    • Regularly review system and network logs for unusual activities indicative of WezRat activity.
  6. Software Updates:
    • Apply timely updates to software, especially browsers, to close known vulnerabilities.

Conclusion

WezRat is a dangerous and evolving malware threat designed for cyber espionage. Organizations in targeted regions must stay vigilant against phishing attacks and invest in layered security strategies to detect and mitigate its effects. Continued monitoring and enhanced user awareness are critical to maintaining defense against this malware.

Sources

  1. AlienVault: Malware Spotlight: A Deep-Dive Analysis of WezRat (Created 1 day ago, Modified 14 hours ago).
  2. The Hacker News: Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations.
  3. Check Point Research: WezRat: A New Iranian Remote Access Trojan Targeting Israeli Organizations.