Iranian Cyber Group OilRig Targets Iraqi Government in Sophisticated Malware Attack

Iraqi government networks have surfaced as the subject of a "elaborate" cyber assault operation conducted by an Iran state-sponsored threat actor named OilRig.

The assaults particularly targeting Iraqi agencies such as the Prime Minister's Office and the Ministry of Foreign Affairs, cybersecurity firm Check Point stated in a new research.

OilRig, also nicknamed APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm (previously EUROPIUM), and Helix Kitten, is an Iranian cyber organization connected with the Iranian Ministry of Intelligence and Security (MOIS).

Active since at least 2014, the gang has a track record of conducting phishing assaults in the Middle East to distribute a range of bespoke backdoors such as Karkoff, Shark, Marlin, Saitama, MrPerfectionManager, PowerExchange, Solar, Mango, and Menorah for information theft.

The newest campaign is no unusual in that it includes the deployment of a new set of malware families termed Veaty and Spearal, which come with capability to execute PowerShell instructions and gather data of interest.

"The toolset used in this targeted campaign employs unique command-and-control (C2) mechanisms, including a custom DNS tunneling protocol, and a tailor-made email based C2 channel," Check Point stated.

"The C2 channel uses compromised email accounts within the targeted organization, indicating that the threat actor successfully infiltrated the victim's networks."

Some of the activities that the threat actor used in conducting the assault, and following it, were consistent with tactics, methods, and procedures (TTPs) that OilRig has deployed while carrying out similar operations in the past.

This involves the usage of email-based C2 channels, notably utilizing previously hacked email mailboxes to issue commands and exfiltrate data. This general operandi has been similar to various backdoors such as Karkoff, MrPerfectionManager, and PowerExchange.

The assault chain is started off with misleading files posing as innocuous papers ("Avamer.pdf.exe" or "IraqiDoc.docx.rar") that, when launched, prepare the way for the deployment of Veaty and Spearal. The infection process is likely believed to have entailed an element of social engineering.

The files trigger the execution of intermediary PowerShell or Pyinstaller scripts that, in turn, drop the malware executables and their XML-based configuration files, which contain information about the C2 server.

"The Spearal malware is a .NET backdoor that utilizes DNS tunneling for [C2] communication," Check Point claimed. "The data transferred between the malware and the C2 server is encoded in the subdomains of DNS queries using a custom Base32 scheme."

Spearal is meant to execute PowerShell commands, read file contents and deliver it in the form of Base32-encoded data, and get data from the C2 server and write it to a file on the machine.

Also built .NET, Veaty uses emails for C2 interactions with the final objective of downloading data and executing instructions via specified mailboxes belonging to the gov-iq.net domain. The commands enable it to upload/download files and perform PowerShell programs.

Check Point said its study of the threat actor infrastructure led to the identification of a new XML configuration file that's likely related with a third SSH tunneling backdoor.

It additionally uncovered an HTTP-based backdoor, CacheHttp.dll, that targets Microsoft's Internet Information Services (IIS) servers and scans incoming web requests for "OnGlobalPreBeginRequest" events and executes instructions when they occur.

"The execution process begins by checking if the Cookie header is present in incoming HTTP requests and reads until the; sign," Check Point warned. "The main parameter is F=0/1 which indicates whether the backdoor initializes its command configuration (F=1) or runs the commands based on this configuration (F=0)."

The malicious IIS module, which represents a development of a Trojan classed as Group 2 by ESET in August 2021 and another APT34 IIS backdoor nicknamed RGDoor, allows command execution and file read/write activities.

"This campaign against Iraqi government infrastructure highlights the sustained and focused efforts of Iranian threat actors operating in the region," the firm stated.

"The deployment of a custom DNS tunneling protocol and an email-based C2 channel leveraging compromised accounts highlights the deliberate effort by Iranian actors to develop and maintain specialized command-and-control mechanisms."