Threat Research

EvilPlayout: Attack Against Iran’s State Broadcaster – Check Point Research

Securonix

A Check Point Research analysis uncovers a coordinated IRIB cyberattack (Jan 2022) that hijacked state TV/radio playout, deployed backdoors, and used a wiper to disrupt broadcasting. The report details tools like SimplePlayout, Winscreeny, HttpCallbackService, HttpService, and a ServerLaunch dropper, with discussions on attribution and links to Iran’s broader wave of politically motivated intrusions. #IRIB #MEK #PredatorySparrow #Indra #Edalat-e-Ali #Tapandegan #MahanAir #SimplePlayout #Winscreeny #HttpCallbackService

Keypoints

  • The attack targeted Iran’s national broadcaster IRIB, hijacking channels to broadcast protest content and taunting messages against the Supreme Leader.
  • Attackers used multiple tools in a broadcast environment, including a .NET-based SimplePlayout to loop video and backdoors like Winscreeny, HttpCallbackService, HttpService, and a ServerLaunch dropper.
  • A wiper component (msdskint.exe) was deployed to disrupt operations by overwriting files and even wiping the MBR, with configurable modes and exclusions.
  • Evidence shows a cluster of artifacts uploaded to VirusTotal from Iranian IPs, containing configuration files, batch scripts, and forensics data tied to IRIB’s playout systems.
  • Several batch scripts and service-related techniques indicate attempts to gain persistence, execute payloads, and maintain C2 communication, often under the common Service1 name.
  • Attribution remains uncertain: Iranian officials point to MEK; Predatory Sparrow claimed related attacks; some links to Indra hypotheses are discussed, but no definitive proof ties all tools to a single actor.

MITRE Techniques

  • [T1485] Data Destruction – Wiper overwrites file content and can destroy storage, including the MBR. Quote: “The wiper has three modes to corrupt the files, and fills the bytes with random values.” and “DestroyMBR flag enables the malware to wipe the MBR by writing a hardcoded base64-encoded binary to the file precg.exe and then running it.”
  • [T1070.001] Clear Windows Event Logs – Wiper deletes Windows Event Logs using the command: “for /F “tokens=*” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl “%1″”
  • [T1059.003] Windows Command Shell – Batch-based payloads and launchers (e.g., playjfalcfgcdq.bat) are used to execute and orchestrate malware steps. Quote: “To kill the video stream already playing, the attackers used a batch script called playjfalcfgcdq.bat.”
  • [T1053.005] Scheduled Task – Malicious service launches schedule tasks at startup. Quote: “At start, the service creates a scheduled task with the command: schtasks /create /TN “MicrosoftWindows.NET Framework.NETASM”/TR …”
  • [T1543.003] Create or Modify System Process: Windows Service – Malware runs as a Windows Service (e.g., “Service1”). Quote: “If the malware has no arguments, it runs as a service named “Service1”.”
  • [T1134] Access Token Manipulation – Privilege escalation via LsaAddAccountRights API call. Quote: “tries to gain privileges using the LsaAddAccountRights API function.”
  • [T1113] Screen Capture – Winscreeny backdoor captures screenshots. Quote: “The main purpose of the backdoor is to make screenshots of the victim’s computer.”
  • [T1090.001] Proxy – Backdoors use the compromised host as a proxy to the C2 URL. Quote: “After the ‘p=’ or ‘b=’ command is received, the backdoor uses the victim’s computer as a proxy to the URL it gets as an argument.”
  • [T1071.001] Web Protocols – HttpCallbackService/C2 communication over HTTP. Quote: “Every 5 seconds, HttpCallbackService sends a request to the C&C URL… to receive the list of commands.”
  • [T1560.001] Archive Collected Data – Local file manipulation via zip/unzip. Quote: “zip – Creates a zip file from the directory contents and returns it to the C&C.”
  • [T1120] Peripheral Device Discovery – Avar.exe enumerates audio devices and plays a WAV on each one. Quote: “enumerate through all active audio devices and play the WAV file on each one.”

Indicators of Compromise

  • [Hash] Wiper/Backdoor samples – 1607f31ac66dfec739dc675ade921582acb8446c2ac7d6d1bc65a3e993fc5b54, 42ed646eed4f949c456c637a222e7d94dd8ac67ed5ebda5e63c7b7979076d9cf, 8bdf6e262966a59a7242d279e511dd694467f07d1d76c456a0c26d0db2ec48a8, and 17 more hashes
  • [File name] Malware/backdoor executables – msdskint.exe, HttpService2.exe, and 2 more backdoor files
  • [File name] Video and audio payloads – TSE_90E11.mp4, TSE_90E11.001
  • [Batch Script] Discovery and deployment scripts – playjfalcfgcdq.bat, layoutabcpxtveni.bat, avapweiguyyyw.bat, breakusufjkjdil.bat, and other batch files
  • [INI files] Configuration used by playout and services – simpleplayout.ini, 436748-HttpService4.exe.ini
  • [DLL/EXE drops] Dropper and service components – dwDrvInst.exe, HttpService2.exe, HttpService4.exe, HttpCallbackService.exe, ServerLaunch
  • [Other] Related playout/video assets – TSE_90E11.mp4, TSE_90E11.001
  • [Forensics] Event and memory artifacts – sec.evtx, application.evtx, lastfile2

Read more: https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/