Analysis of WezRat Malware Linked to Iranian Cyber Group
/ 4 min read
Quick take - Check Point Research has analyzed WezRat, a modular infostealer malware linked to the Iranian cyber group Emennet Pasargad, detailing its capabilities, distribution methods, and recent phishing campaigns targeting Israeli organizations, while authorities have issued a Cybersecurity Advisory to aid in defense against this evolving threat.
Fast Facts
- Check Point Research analyzed WezRat, a modular infostealer malware linked to the Iranian cyber group Emennet Pasargad, known for targeting entities in the US, France, Sweden, and Israel.
- The FBI and other agencies issued a Cybersecurity Advisory detailing WezRat’s capabilities, including command execution, keylogging, and data theft, with recent phishing campaigns distributing it via fake INCD emails.
- WezRat’s architecture has evolved, featuring a persistence module that ensures it runs at system startup and a command and control (C&C) server for receiving commands and transmitting data.
- Emennet Pasargad has expanded its operations to include disinformation campaigns, notably during the Summer Olympics, indicating a broader scope of cyber activities beyond malware.
- Check Point has implemented protective measures against WezRat through its Threat Emulation and Harmony Endpoint services, providing organizations with Indicators of Compromise (IOCs) to enhance their defenses.
Check Point Research Analyzes WezRat Malware
Overview of WezRat and Its Origins
Check Point Research (CPR) has conducted an in-depth analysis of WezRat, a modular infostealer malware attributed to the Iranian cyber group Emennet Pasargad. This group, also known by names such as Aria Sepehr Ayandehsazan (ASA) and Anzu Team, has been linked to various cyber operations targeting entities in the United States, France, Sweden, and Israel.
The FBI, the US Department of Treasury, and the Israeli National Cybersecurity Directorate (INCD) have issued a joint Cybersecurity Advisory detailing the capabilities and distribution methods of WezRat.
Recent Phishing Campaign
The most recent version of WezRat was disseminated to Israeli organizations via phishing emails that impersonated the INCD. The phishing campaign, which took place on October 21, 2024, involved emails prompting recipients to update their Google Chrome browser. This led to the download of WezRat, which was bundled with a legitimate Google Chrome installer.
WezRat is a sophisticated piece of malware written in C++, employing obfuscation techniques to hide its functionality. It features a range of capabilities, including executing commands, taking screenshots, keylogging, uploading files, and stealing clipboard contents and cookie files. The malware’s architecture has evolved significantly over time, with new modules and backend infrastructure enhancements.
Ongoing Developments and Protections
Initial data collected by WezRat upon infection includes user profile paths, local machine IPs, computer names, and usernames. The backdoor connects to a command and control (C&C) server, allowing it to receive commands and transmit data. WezRat supports various commands such as updating sleep timers, executing specific commands, downloading additional files, and keylogging. Notably, the persistence module ensures that the backdoor runs on system startup by establishing a registry key.
As of mid-2024, Emennet Pasargad expanded its operations to include a disinformation campaign during the Summer Olympics, targeting Israeli athletes. This highlights the group’s ongoing engagement in cyber operations beyond traditional malware distribution.
The advisory issued by the authorities provides several malware hashes attributed to Emennet Pasargad, with WezRat identified as one of the tracked families. Recent analyses have shown that WezRat continues to evolve, with new samples indicating ongoing development and refinement. The backend of WezRat transitioned to Kestrel around March 2024, suggesting continuous updates. Additionally, a separate set of socket-based samples has been observed, which differ significantly in functionality and communication methods from WezRat.
To combat the threats posed by WezRat, Check Point has introduced protections through its Threat Emulation and Harmony Endpoint services. The advisory also includes Indicators of Compromise (IOCs) and server addresses associated with WezRat, which are essential for organizations to defend against this persistent threat.
Original Source: Read the Full Article Here
