Check Point Research identified two new malware families, Veaty and Spearal, used in targeted attacks against Iraqi government networks, employing a passive IIS backdoor, DNS tunneling, and email-based C2. The campaign shows strong ties to Iranian threat actor APT34 and overlaps with earlier families like Karkoff and Saitama. #Veaty #Spearal #APT34 #Karkoff #Saitama #Iraq
Keypoints
- Discovery of two new malware families: Veaty and Spearal.
- Targeted attacks against Iraqi government entities.
- Use of a passive IIS backdoor and DNS tunneling for C2 communication.
- Malware shows strong connections to APT34 and previously identified malware families (Karkoff, Saitama, IIS Group2).
- Initial infection methods include social engineering and double-extension files.
- Veaty uses compromised email accounts for C2 communications.
- Spearal utilizes DNS tunneling and base32-encoded commands for communication.
MITRE Techniques
- [T1003] Credential Dumping – ‘Using compromised email accounts for command and control communication.’
- [T1071] Command and Control – ‘Utilizing DNS tunneling for communication.’ ‘Employing email-based C2 channels.’
- [T1547] Persistence – ‘Adding entries to the Windows registry for persistence.’
- [T1210] Exploitation of Remote Services – ‘Using a passive IIS backdoor to exploit web services.’
- [T1203] Social Engineering – ‘Initial infection through social engineering tactics.’
Indicators of Compromise
- [IP] Campaign infrastructure – 185.76.78.177, 91.132.95.117, and 4 more IPs
- [Domain] Command and control / target domains – iqwebservice[.]com, mofaiq[.]com, and 2 more domains
- [File hash] Veaty/Spearal hashes – a79e4424116dc0a76a179507ac914578, 1f1aaaf32be03ae7beb9d49f02de7669, and 9 more hashes
- [File name] Initial infection filenames – Avamer.pdf.exe, Protocol.pdf.exe, IraqiDoc.docx.rar
Read more: https://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/