September 11, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
North Korean APT Kimsuky aka Black Banshee – Active IOCs
September 13, 2024
Snake Keylogger Malware – Active IOCs
September 13, 2024
North Korean APT Kimsuky aka Black Banshee – Active IOCs
September 13, 2024
Snake Keylogger Malware – Active IOCs
September 13, 2024
Severity
High
Analysis Summary
A sophisticated cyberattack campaign targeting Iraqi government networks has been attributed to the Iranian state-sponsored threat actor known as OilRig. This campaign has specifically targeted high-profile entities including the Prime Minister's Office and the Ministry of Foreign Affairs.
OilRig, also known as APT34, Crambus, and other aliases, has been active since at least 2014 and is affiliated with Iran's Ministry of Intelligence and Security (MOIS). The group is notorious for its phishing attacks and use of custom backdoors aimed at information theft. A recent report reveals that OilRig deployed new malware families named Veaty and Spearal. These malware types exhibit advanced capabilities such as executing PowerShell commands and harvesting files of interest.
The threat actor utilized unique command-and-control (C2) mechanisms including a bespoke DNS tunneling protocol and a customized email-based C2 channel. The use of compromised email accounts within the targeted organizations further indicates that the threat actor had successfully infiltrated these networks.
The attack sequence was initiated through deceptive files disguised as benign documents, such as "Avamer.pdf.exe" and "IraqiDoc.docx.rar". When executed, these files activated intermediate PowerShell or PyInstaller scripts, which then deployed the Veaty and Spearal malware. This infection pathway likely involved social engineering to convince targets to open these malicious files.
Spearal, a .NET-based backdoor, relies on DNS tunneling for its C2 communications encoding data in the subdomains of DNS queries using a custom Base32 scheme. It can execute PowerShell commands, read file contents, and transfer data to and from the C2 server. In contrast, Veaty, also written in .NET, uses email for C2 communications, allowing it to download files, execute commands, and manage files through specific compromised mailboxes.
The analysis uncovered additional backdoor tools including an SSH tunneling backdoor and an HTTP-based backdoor named CacheHttp.dll. The latter targets Microsoft's Internet Information Services (IIS) servers, examining web requests for specific events and executing commands based on these requests. The sophistication of these tools and their deployment underscores the persistent and targeted efforts by Iranian threat actors in the region highlighting their ability to develop and maintain advanced command-and-control mechanisms.
Impact
- Data Exfiltration
- Code Execution
- Sensitive Data Theft
Indicators of Compromise
Domain Name
- iqwebservice.com
- mofaiq.com
- asiacall.net
- spacenet.fun
IP
- 185.76.78.177
- 91.132.95.117
- 151.236.17.231
MD5
- a79e4424116dc0a76a179507ac914578
- 1f1aaaf32be03ae7beb9d49f02de7669
- b817309621e43004b9f32c96d52dc2a0
- b5de3c4c582db7c2d2ce31c67cba0510
- 66126dc088be2699fd55ae7eff5e6e15
- d56b5fd6b8976c91d2537d155926afff
- b1c93c7f5d89996d64a7f933f138e8b0
- a70a7cfae52304a36fe1547b5a441d7a
SHA-256
- 3ab29bc71ddd272f33f17c5108c044a570610c06ccba16cde1a4aa67b1524a8b
- 068f5adf9c87d0b3fa8a37056042e76139bb230a9fd559028eb13cdf360ebbaa
- dcdaa9da5ee4750b1084f7dd99faeed2c713595bb156ac6491b29c2f9e0a1ade
- b85ffc8af90d4312aca9a81e0da00aabe6278fd9c92e933aec7e2da80c2c1f7e
- 0b3a08a1d90bf52dbf5379c72b8e2b6e76aa1fbf2c2e6c2d32af99c4707598a7
- 42acdf5051bc636dbbb56483fbca925238f1c5422497e2dda73f07b0653e56f2
- 577ca702d73f2090ce583c5b1fbfcb3101d3c79722c98b3aa8dc6598296182f4
- 0644b3ffc856eb54b53338ab8ecd22dd005ee5aacfe321f4e61b763a93f82aea
SHA-1
- 66bd8db40f4169c7f0fca3d5d15c978efe143cf8
- 6973d3ff8852a3292380b07858d43d0b80c0616e
- 01b99ff47ec6394753f9ccdd2d43b3e804f9ee36
- 272cf34e8db2078a3170cf0e54255d89785e3c50
- f28d8c5c2283019e6ed788d20240abc8554cadb5
- bb4ffcdbfad40125080c13fa4917a1e836a8d101
- a84caa806be07da3f30f67b036d88dccba0bc581
- 338b6e464874a52e61bc5b8fcaa94d66fe7e4141
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Change all passwords on compromised accounts and systems. Implement strong, unique passwords and consider implementing multi-factor authentication (MFA) to enhance security.
- Continuously monitor network traffic and system logs for suspicious activity, using intrusion detection and prevention systems.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Maintain daily backups of all computer networks and servers.
- Keep all software, operating systems, and applications up to date with the latest security patches.
- Continuously monitor network and system logs for unusual or suspicious activities.
- Deploy security information and event management (SIEM) solutions to centralize log analysis.