ClickCease Malware Attacks: Iranian Hackers Target Iraqi Government  - TuxCare

Table of Contents

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Malware Attacks: Iranian Hackers Target Iraqi Government 

by Wajahat Raja

September 26, 2024 - TuxCare expert team

Iqra and Iran are two nations that have experienced conflicts throughout their existence, and now those conflicts have become digital in the form of malware attacks. As per recent reports, the Iraqi government has fallen prey to malware attacks orchestrated by OilRig, an Iranian state-sponsored threat actor group. In this article, we’ll dive into these attacks and cover the campaign in detail. Let’s begin! 

OilRig Cyber Group Malware Attacks Background 

OilRig is an Iranian state-sponsored threat actor group that has been active since 2014. The cybercrime group also goes by other names that include PT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten. 

Reports claim that the group associated with the recent malware attacks has ties to the Iranian Ministry of Intelligence and Security (MOIS). Apart from the recent malware attacks, the group, over the past decade, has developed a track record of phishing attacks.

These attacks mainly target victims in the Middle East and are used to deliver a variety of custom backdoors used for stealing information. Some of these backdoors include: 

  • Karkoff.
  • Shark.
  • Marlin.
  • Saitama.
  • MrPerfectionManager.
  • PowerExchange.
  • Solar.
  • Mango.
  • Menora.

Iraqi Government Cyber Attacks 

The latest malware attacks orchestrated by OilRig are in line with their previous methods. However, these attacks use a new set of malware families called Veaty and Spearal. Both of the payloads can execute PowerShell commands and steal files of interest. 

In these attacks, OilRig threat actors have singled out Iraqi government organizations that include the Prime Minister’s Office and the Ministry of Foreign Affairs. These attacks were analyzed by Check Point, a cybersecurity company, that stated

“The toolset used in this targeted campaign employs unique command-and-control (C2) mechanisms, including a custom DNS tunneling protocol and a tailor-made email-based C2 channel. The C2 channel uses compromised email accounts within the targeted organization, indicating that the threat actor successfully infiltrated the victim’s networks.”

Similar Tactics And Techniques

While these attacks rely on the use of new malware families, consistency pertaining to the tactics, techniques, and procedures (TTPs) used in previous attacks is evident. Similar attacks have been carried out by OilRig in the past where email-based C2 channels were used for compromising mailboxes. 

Once the mailboxes were compromised, threat actors then worked towards issuing commands and stealing data. This technique is common among several backdoors that include: 

  • Karkoff.
  • MrPerfectionManager. 
  • PowerExchange. 

OilRig Cyber Group’s Attack Chain 

Malware attacks orchestrated by OilRig start off with malicious files posing as genuine documents titled “Avamer.pdf.exe” or “IraqiDoc.docx.rar.” These files, when launched, serve as the gateway of deployment for Veaty and Spearal. It’s worth mentioning here that social engineering tactics are likely to play a role in the attack chain as well. 

These files execute the PowerShell or Pyinstaller scripts, which are used to deliver the executable payloads and the associated XML-based configuration files containing C2 server information. Commenting on such tactics, cybersecurity experts have said that:  

“The Spearal malware is a .NET backdoor that utilizes DNS tunneling for [C2] communication. The data transferred between the malware and the C2 server is encoded in the subdomains of DNS queries using a custom Base32 scheme.”

Conclusion

Based on the attack chain and methodology, it can be stated that OilRig threat actors have made focused efforts for targeting and attacking the Iraqi government and intend to develop and maintain specified command-and-control methods. 

With technological advancements, hackers are now using more complex methods to target victims. Therefore, using advanced cybersecurity solutions is now a necessity for lowering risk and ensuring protection. 

The sources for this piece include articles in The Hacker News and The Record.

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer