Iraq’s government networks have been targeted by a “sophisticated” campaign of cyberattacks by an Iranian state-run threat actor known as Oil rig.
The attacks targeted Iraqi organizations such as the Prime Minister’s Office and the Ministry of Foreign Affairs, according to a new analysis by cybersecurity firm Check Point.
OilRig, also known as APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten, is an Iranian cyber group affiliated with Iran’s Ministry of Intelligence and Security (MOIS).
Active since at least 2014, the group has a track record of conducting phishing attacks in the Middle East to deliver various the custom back doors such as Karkoff, Shark, Marlin, Saitama, MrPerfectionManager, PowerExchange, Solar, Mango and Menorah for stealing information.
The latest campaign is no exception in that it involves the use of a new set of malware families called Veaty and Spearal, which provide the ability to execute PowerShell commands and collect interesting files.
“The toolkit used in this targeted campaign uses unique (C2) control mechanisms, including a custom DNS tunneling protocol and a tailored email-based C2 channel,” Check Point reported. said.
“The C2 channel is using compromised email accounts at the target organization, indicating that the threat actor has successfully penetrated the victim’s network.”
Some of the actions the threat actor took during and after the attack were consistent with tactics, techniques, and procedures (TTPs) used by OilRig when conducting similar operations in the past.
This includes exploiting email-based C2 channels, specifically using previously compromised email mailboxes to issue commands and steal data. This modus operandi was common to several backdoors such as Karkoff, MrPerfectionManager, and PowerExchange.
The chain of attacks starts with fake files that appear to be benign documents (“Avamer.pdf.exe” or “IraqiDoc.docx.rar”), which when launched open the way for Veaty and Spearal to be deployed. The route of infection probably involved an element of social engineering.
These files initiate the execution of intermediate PowerShell or Pyinstaller scripts, which in turn remove the malware executables and their XML-based configuration files that include information about the C2 server.
“The Spearal malware is a .NET backdoor that uses DNS tunneling to communicate (C2),” Check Point said. “The data transmitted between the malware and the C2 server is encoded in the subdomains of DNS queries using a custom Base32 scheme”.
Spearal is designed to execute PowerShell commands, read the contents of a file and send it as Base32-encoded data, and retrieve data from the C2 server and write it to a file on the system.
Also written in .NET, Veaty uses emails to communicate with C2 with the ultimate goal of downloading files and executing commands through specific mailboxes belonging to the gov-iq.net domain. Commands allow you to upload/download files and run PowerShell scripts.
Check Point said that an analysis of the threat actor’s infrastructure led to the discovery of another XML configuration file that is likely related to a third SSH tunneling backdoor.
It also identified an HTTP-based backdoor, CacheHttp.dll, which targets Microsoft Internet Information Services (IIS) servers, examines incoming web requests for OnGlobalPreBeginRequest events, and executes commands when they occur.
“The execution process begins by checking whether the Cookie header is present in incoming HTTP requests and reads until the ; character,” Check Point said. “The primary option is F=0/1, which indicates whether the backdoor initializes its command configuration (F=1) or runs commands based on that configuration (F=0).”
Malicious IIS module, which is an evolution of malware classified as Group 2 from ESET in August 2021 and another IIS backdoor codenamed APT34 RGDoorsupports command execution and file read/write operations.
“This campaign against Iraqi government infrastructure highlights the sustained and targeted efforts of Iranian threat actors operating in the region,” the campaign said.
“The deployment of a custom DNS tunneling protocol and an email-based C2 channel that uses compromised accounts highlights a deliberate effort by Iranian actors to develop and maintain specialized command and control mechanisms.”
