Cybersecurity researchers have shed light on a new remote access Trojan and information stealer used by Iranian state-sponsored entities to conduct reconnaissance on compromised endpoints and execute malicious commands.
Cyber security company Check Point codenamed the malware WezRatstating that it has been detected in the wild since at least September 1, 2023, based on artifacts uploaded to the VirusTotal platform.
“WezRat can execute commands, take screenshots, download files, execute keyloggers, and steal clipboard contents and cookies.” said in the technical report. “Some functions are performed by separate modules obtained from the command and control (C&C) server as DLL files, making the core component of the backdoor less suspicious.”
WezRat is believed to be the work of Cotton Sandstorm, an Iranian hacking group better known as Emennet Pasargad and, more recently, Aria Sepehr Ayandehsazan (ASA).
It was a harmful program documented for the first time late last month by US and Israeli cybersecurity agencies, describing it as an “exploitation tool to gather endpoint information and execute remote commands.”
According to government authorities, the attack chains involve the use of trojanized Google Chrome installers (“Google Chrome Installer.msi”), which, in addition to installing the legitimate Chrome web browser, are configured to run a second binary file called “Updater.exe” (internally called “bd.exe”).
The malware executable, on the other hand, is designed to gather system information and establish a connection to the control (C&C) server (“connect.il-cert(.)net”) to await further instructions.
Check Point said it observed WezRat being distributed to several Israeli organizations as part of phishing emails impersonating Israel’s National Cyber Directorate (INCD). The emails, sent on October 21, 2024, originated from the email address “alert@il-cert(.)net” and urged recipients to urgently install a Chrome security update.
“The backdoor executes with two parameters: connect.il-cert.net 8765, which represents the C&C server, and a number used as a ‘password’ for the backdoor to execute correctly,” Check Point said, noting that providing an incorrect password could cause the malware to “perform an incorrect function or potentially crash”.
“Earlier versions of WezRat had hard-coded C&C server addresses and did not rely on the ‘password’ argument to launch,” Check Point said. “WezRat originally functioned more like a simple remote access trojan with basic commands. Over time, additional features such as the screenshot capability and keylogger were included and handled as separate commands.”
Additionally, the company’s analysis of the malware and its backend infrastructure reveals that at least two different teams are involved in the development and operation of WezRat.
“The ongoing development and improvement of WezRat indicates a focused investment in maintaining a versatile and evasive cyberespionage tool,” he concludes.
“Emennet Pasargad’s activities target various organizations in the United States, Europe, and the Middle East, posing a threat not only to direct political opponents, but to any group or individual with influence over Iran’s international or domestic situation.”
