A newly uncovered cyber attack campaign has targeted key Iraqi government networks, including the Prime Minister's Office and the Ministry of Foreign Affairs. This operation has been attributed to the Iran state-sponsored threat group OilRig (also known as APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm, and Helix Kitten), according to an analysis by cybersecurity firm Check Point.
OilRig, linked to Iran’s Ministry of Intelligence and Security (MOIS), has been active since at least 2014, frequently conducting phishing attacks across the Middle East. The group is known for using custom backdoors such as Karkoff, Shark, Marlin, Saitama, MrPerfectionManager, PowerExchange, Solar, Mango, and Menorah to steal sensitive information.
The New Malware Campaign: Veaty and Spearal
The latest OilRig campaign introduced two new malware families, Veaty and Spearal, both equipped with sophisticated capabilities for data theft and executing PowerShell commands. These malware variants utilize a combination of advanced techniques, including DNS tunneling for command-and-control (C2) communication and email-based C2 channels that use compromised email accounts within the targeted organization.
OilRig's approach is unique in leveraging compromised email mailboxes as part of its C2 infrastructure, a tactic seen in previous campaigns involving backdoors such as Karkoff and PowerExchange.
Attack Chain and Tactics
The attack chain begins with phishing emails containing malicious files disguised as legitimate documents, such as "Avamer.pdf.exe" or "IraqiDoc.docx.rar." Once the files are opened, they initiate PowerShell or Pyinstaller scripts that drop the malware onto the victim’s machine. These scripts also include XML configuration files containing details about the C2 server.
The Spearal malware, written in .NET, communicates with the C2 server via DNS tunneling. The data exchanged between the malware and the server is encoded using a custom Base32 scheme within DNS queries. Spearal is designed to execute PowerShell commands, read file contents, and transmit encoded data back to the C2 server. It can also retrieve and write data from the C2 server to the infected system.
Similarly, the Veaty malware, also a .NET-based backdoor, relies on compromised email accounts from the gov-iq.net domain to communicate with the C2 server. It downloads and executes files, uploads stolen data, and runs PowerShell scripts based on the commands received through specific mailboxes.
Advanced Tactics: SSH and HTTP Backdoors
Check Point's analysis also uncovered a third backdoor, utilizing SSH tunneling and an HTTP-based backdoor named CacheHttp.dll. This malware targets Microsoft’s Internet Information Services (IIS) servers, monitoring web requests for specific events to trigger malicious commands. The backdoor checks for a "Cookie" header in HTTP requests and uses the F=0/1 parameter to initialize or execute commands based on its configuration.
This IIS module is a continuation of malware previously identified by ESET in 2021, evolving from earlier variants used by OilRig. Its capabilities include file read/write operations and command execution, making it a powerful tool for covert network infiltration.
OilRig’s Evolving Tactics
This recent campaign showcases OilRig’s sustained efforts to target Iraqi government infrastructure using a diverse toolset of backdoors and custom C2 mechanisms. The group’s reliance on DNS tunneling and compromised email accounts for communication highlights its strategic focus on developing specialized methods for controlling compromised networks.
Check Point’s analysis of OilRig’s infrastructure suggests the group’s continual evolution, with new malware families, advanced C2 channels, and effective social engineering tactics making it a persistent threat in the region. The campaign underscores the importance of enhanced cybersecurity measures for governments and organizations facing sophisticated state-sponsored attacks.
.jpg)
