Nov 15, 2024Ravie LakshmananCyber Espionage / Malware

Cybersecurity researchers have shed light on a new remote access trojan and information stealer used by Iranian state-sponsored actors to conduct reconnaissance of compromised endpoints and execute malicious commands.

Cybersecurity company Check Point has codenamed the malware WezRat, stating it has been detected in the wild since at least September 1, 2023, based on artifacts uploaded to the VirusTotal platform.

“WezRat can execute commands, take screenshots, upload files, perform keylogging, and steal clipboard content and cookie files,” it said in a technical report. “Some functions are performed by separate modules retrieved from the command and control (C&C) server in the form of DLL files, making the backdoor’s main component less suspicious.”

WezRat is assessed to be the work of Cotton Sandstorm, an Iranian hacking group that’s better known under the cover names Emennet Pasargad and, more recently, Aria Sepehr Ayandehsazan (ASA).

The malware was first documented late last month by U.S. and Israeli cybersecurity agencies, describing it as an “exploitation tool for gathering information about an end point and running remote commands.”

Attack chains, per the government authorities, involve the use of trojanized Google Chrome installers (“Google Chrome Installer.msi”) that, in addition to installing the legitimate Chrome web browser, is configured to run a second binary named “Updater.exe” (internally called “bd.exe”).

The malware-laced executable, for its part, is designed to harvest system information and establish contact with a command-and-control (C&C) server (“connect.il-cert[.]net”) to await further instructions.

Check Point said it has observed WezRat being distributed to several Israeli organizations as part of phishing emails impersonating the Israeli National Cyber Directorate (INCD). The emails, sent on October 21, 2024, originated from the email address “alert@il-cert[.]net,” and urged recipients to urgently install a Chrome security update.

“The backdoor is executed with two parameters: connect.il-cert.net 8765, which represents the C&C server, and a number used as a ‘password’ to enable the correct execution of the backdoor,” Check Point said, noting that providing an incorrect password could cause the malware to “execute an incorrect function or potentially crash.”

“The earlier versions of WezRat had hard-coded C&C server addresses and didn’t rely on ‘password’ argument to run,” Check Point said. “WezRat initially functioned more as a simple remote access trojan with basic commands. Over time, additional features such as screenshot capabilities and a keylogger were incorporated and handled as separate commands.”

Furthermore, the company’s analysis of the malware and its backend infrastructure suggests there are at least two different teams who are involved in the development of WezRat and its operations.

“The ongoing development and refinement of WezRat indicates a dedicated investment in maintaining a versatile and evasive tool for cyber espionage,” it concluded.

“Emennet Pasargad’s activities target various entities across the United States, Europe, and the Middle East, posing a threat not only to direct political adversaries but also to any group or individual with influence over Iran’s international or domestic narrative.”