Priya Patel
TLDR:
Iranian state-sponsored threat actor OilRig targeted Iraqi government networks in a sophisticated cyber attack campaign using new malware families called Veaty and Spearal. The attacks involved phishing and the use of custom backdoors to execute PowerShell commands and harvest files of interest. The threat actor also leveraged email-based command-and-control mechanisms to infiltrate victim networks.
Summary:
Iranian cyber group OilRig, also known as APT34, targeted Iraqi government organizations like the Prime Minister’s Office and the Ministry of Foreign Affairs in a recent cyber attack campaign. This state-sponsored threat actor has been active since at least 2014 and is associated with the Iranian Ministry of Intelligence and Security (MOIS).
The attack campaign involved the use of new malware families called Veaty and Spearal, which had capabilities to execute PowerShell commands and harvest files. These malware families utilized unique command-and-control mechanisms, including a custom DNS tunneling protocol and email-based channels.
The threat actor’s tactics, techniques, and procedures were consistent with past operations, including the use of email-based command-and-control channels and social engineering to initiate the attack chain. The malware utilized in the campaign, such as Spearal and Veaty, allowed for the execution of commands, file retrieval, and data exfiltration.
Check Point’s analysis of the threat actor infrastructure also revealed the presence of a different SSH tunneling backdoor and an HTTP-based backdoor targeting Microsoft’s Internet Information Services (IIS) servers. This campaign underscores the deliberate effort by Iranian threat actors to develop specialized command-and-control mechanisms and highlights their sustained focus on targeting government infrastructure.
