Keypoints
- WezRat is a custom, modular infostealer attributed to the Iranian threat actor Emennet Pasargad.
- The malware campaign has operated for more than a year and only recently received public technical analysis by Check Point.
- Recent distribution used phishing lures impersonating the Israeli National Cyber Directorate to trick victims into installing a malicious MSI.
- WezRat’s capabilities include command execution, keylogging, screenshots, clipboard theft, credential collection, and file uploads.
- The malware’s architecture evolved over time with added DLL modules and changes to backend C2 infrastructure.
- Analysis of the backend suggests separate development and operator components within the actor’s infrastructure.
- Check Point provided detection and mitigation guidance to help protect against WezRat infections.
MITRE Techniques
- [T1071] Command and Control – Uses multiple command and control domains to maintain communication with compromised systems. (‘Utilizes multiple command and control domains to maintain communication with compromised systems.’)
- [T1003] Credential Dumping – Collects user credentials from the infected system for lateral movement or exfiltration. (‘Collects user credentials from the infected system.’)
- [T1022] Data Encrypted – Encrypts collected data prior to exfiltration to evade detection. (‘Encrypts data before exfiltration to evade detection.’)
- [T1210] Exploitation of Remote Services – Leverages vulnerabilities in remote services to gain initial or secondary access. (‘Exploits vulnerabilities in remote services to gain access.’)
- [T1566] Phishing – Delivers the malware via deceptive emails impersonating legitimate organizations. (‘Uses deceptive emails to trick users into downloading malware.’)
Indicators of Compromise
- [domain] C2 and phishing infrastructure – il-cert[.]net, connect.il-cert[.]net
- [ip address] C2 server – 46.249.58[.]136
- [email] Phishing sender address used in lures – alert@il-cert[.]net
- [file name] Lure filename used to bait victims – Google Chrome Installer.msi
- [file hash] Malicious payload hash – 6b0d7b2e422a93e81ceed3645d36dd40
WezRat is a sophisticated, modular infostealer developed and operated by the Iranian group Emennet Pasargad. Check Point’s analysis shows the malware evolved across multiple builds, adding DLL-based modules and refining its backend, which allowed operators to remotely execute commands, capture keystrokes, take screenshots, steal clipboard contents, and collect credentials.
Recent distribution campaigns used convincing phishing emails that impersonated the Israeli National Cyber Directorate and delivered a malicious MSI named “Google Chrome Installer.msi” linked to C2 domains like il-cert[.]net. The investigators also partially dismantled backend infrastructure, revealing operational distinctions that suggest separate developer and operator roles within the threat actor’s operations.
The report includes IOCs and recommended protections to detect and block WezRat activity, emphasizing monitoring of the identified domains, IPs, malicious hash, and email indicators, and applying standard defenses such as endpoint detection, network monitoring for C2 patterns, and user awareness against targeted phishing lures.
Read more: https://research.checkpoint.com/2024/wezrat-malware-deep-dive/