Iranian Cyber Attacks Target Iraqi Government Using Advanced Veaty and Spearal Malware
Introduction
In an increasingly interconnected world, cyberattacks have become a critical threat to national security and government infrastructure. Recently, Check Point Research (CPR) uncovered a series of cyberattacks targeting Iraqi government entities. These attacks deployed two new malware families, Veaty and Spearal, which utilize advanced techniques such as passive backdoors, DNS tunneling, and email-based command-and-control (C2) communications. These malware strains are closely tied to Iranian APT groups, particularly APT34, an organization associated with Iran’s Ministry of Intelligence and Security (MOIS).
This blog provides an in-depth look at the attack techniques, malware features, and implications for cybersecurity in government networks, especially in high-risk regions like the Middle East.
Key Findings of the Campaign
CPR’s research revealed several key insights into the recent cyber espionage campaign against Iraqi governmental organizations:
- Discovery of New Malware: Veaty and Spearal, two previously unknown malware families, were found targeting Iraqi government networks.
- Advanced Techniques: The malware leverages sophisticated tactics, including DNS tunneling, passive IIS backdoors, and the use of compromised email accounts for C2 communication.
- Connection to APT34: Both Veaty and Spearal bear notable similarities to previously identified APT34 malware like Karkoff, Saitama, and IIS Group 2, all tied to Iranian cyber espionage activities.
Malware Details: Veaty and Spearal
Veaty Backdoor
Veaty is a .NET backdoor that uses compromised email accounts for its command-and-control communications. It has the capability to upload and download files, execute commands, and communicate through mailboxes. The malware bypasses security by disabling SSL/TLS certificate verification, allowing it to interact with servers unnoticed.
The configuration file in Veaty enables it to:
- Access compromised email accounts: The malware can authenticate using hardcoded credentials or attempt default ones.
- Establish C2 communication: Veaty creates specific email rules to organize and hide command-and-control messages within the victim’s inbox.
- Execute commands via email: Commands are encrypted and sent to and from the compromised email accounts, hiding them from normal view.
Veaty’s use of email-based C2 channels highlights the importance of digital footprint analysis and brand protection strategies, as compromised email accounts can be exploited for more than just data theft—they can serve as powerful tools in maintaining a foothold in a target network.
Spearal Backdoor
Spearal, another .NET-based malware, utilizes DNS tunneling to communicate with its C2 server. This malware encodes data in DNS query subdomains using a custom Base32 encoding scheme. It sends queries to a domain specified in its configuration file, or by default, to iqwebservice[.]com.
Spearal operates as follows:
- Stealthy Data Transfer: Information between the malware and C2 is encoded and transmitted via DNS queries, making it difficult to detect with conventional network monitoring tools.
- Command Execution: Commands such as file downloads, uploads, and PowerShell executions are triggered by base32-encoded messages sent through DNS queries.
This technique highlights how online risk evaluation and digital threat scoring are crucial in monitoring unusual network behavior, particularly in government sectors where advanced threat actors are likely to use non-standard methods to exfiltrate sensitive data.
Initial Infection Tactics
The campaign’s infection vector relied on cleverly disguised files with double extensions, such as “Avamer.pdf.exe” and “Protocol.pdf.exe,” alongside installers mimicking legitimate software. Social engineering appears to have played a key role, as some files included official logos, such as that of the Iraqi General Secretariat of the Council of Ministers. Once executed, these files deployed PowerShell or PyInstaller scripts that installed the malware and established persistence by modifying registry entries.
Evolution of the IIS Backdoor: CacheHttp.dll
In addition to the newly discovered Veaty and Spearal backdoors, the campaign also included a passive IIS backdoor named CacheHttp.dll. This module operates on infected web servers, listening for specific HTTP requests and executing commands embedded in the "Cookie" header of incoming traffic. This method of embedding commands within web traffic shows the attacker’s commitment to staying under the radar by using passive, hard-to-detect communication channels.
The evolution of CacheHttp.dll reflects the continued refinement of HTTP-based backdoors, which have evolved from earlier malware variants like RGDoor, previously attributed to APT34. This evolution highlights how APT groups continuously refine their toolsets to adapt to modern defense mechanisms.
Attribution to APT34
APT34, also known as OilRig, is an Iranian cyber espionage group widely believed to operate under Iran’s Ministry of Intelligence and Security (MOIS). The malware families used in this campaign, particularly Veaty and Spearal, share several key characteristics with other malware attributed to APT34, such as Karkoff and Saitama. Both malware types exhibit overlapping tactics, techniques, and procedures (TTPs) with APT34, indicating a strong likelihood that this group is behind the Iraqi government attacks.
The stolen credentials detection techniques used in these attacks, especially the use of compromised email accounts, underscores the importance of darknet monitoring services and brand impersonation defense strategies to prevent further exploitation.
Conclusion
The discovery of Veaty, Spearal, and the updated IIS backdoor in this campaign targeting Iraqi government infrastructure underscores the persistence and sophistication of Iranian cyber espionage operations. These attacks exemplify the increasing trend of nation-state actors using advanced malware techniques to target sensitive government networks, leveraging everything from compromised emails to DNS tunneling for command-and-control communications.
For organizations, particularly in regions frequently targeted by nation-state actors, implementing comprehensive dark web surveillance, compromised data tracking, and brand protection measures can significantly reduce the risk of falling victim to such advanced threats. As Iranian threat actors continue to refine their tactics, staying vigilant with robust cybersecurity practices is essential.
About Foresiet!
Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.
Protect your brand, reputation, data, and systems with Foresiet's Integrated Digital Risk Platform. 24/7/365 threat monitoring for total peace of mind.
Sept. 17, 2024, 7:51 p.m.
