Analysis of WezRat Malware Attributed to Iranian Group
/ 4 min read
Quick take - Check Point Research has analyzed WezRat, a modular infostealer attributed to the Iranian cyber group Emennet Pasargad, which has been used in various cyber operations and distributed through phishing emails targeting Israeli organizations, highlighting its evolving capabilities and ongoing threat to entities in the US, Europe, and the Middle East.
Fast Facts
- Check Point Research (CPR) analyzed WezRat, a modular infostealer linked to the Iranian cyber group Emennet Pasargad, as confirmed by a joint advisory from the FBI, US Department of Treasury, and Israeli National Cybersecurity Directorate.
- WezRat was distributed via phishing emails impersonating the INCD, leading victims to a lookalike domain that automatically downloaded a backdoor disguised as a Google Chrome installer.
- The malware features multiple capabilities, including command execution, screenshots, file uploads, keylogging, and clipboard data theft, with a modular design allowing for ongoing updates and functionality enhancements.
- Emennet Pasargad, also known as Anzu Team, has conducted various cyber operations, including disinformation campaigns and hacking incidents targeting organizations in the US, Europe, and the Middle East.
- Check Point provides protective measures against WezRat, including Indicators of Compromise (IOCs) to assist in detection and mitigation efforts.
Check Point Research Analyzes WezRat Infostealer
Check Point Research (CPR) has conducted an analysis of a modular infostealer known as WezRat. This malware has recently been attributed to the Iranian cyber group Emennet Pasargad. The attribution was made by a joint Cybersecurity Advisory issued by the FBI, the US Department of Treasury, and the Israeli National Cybersecurity Directorate (INCD).
Emennet Pasargad’s Cyber Operations
Emennet Pasargad has been linked to various cyber operations across multiple countries, including the United States, France, Sweden, and Israel. WezRat was notably distributed to Israeli organizations through phishing emails that impersonated the INCD, warning recipients of an urgent need to update their Chrome browser. Victims were directed to a lookalike domain where an automatic download of a backdoor occurred. This backdoor, written in C++, was packaged alongside a legitimate Google Chrome installer.
Capabilities and Evolution of WezRat
The malware has several capabilities, including executing commands, taking screenshots, uploading files, keylogging, and stealing clipboard content and cookie files. The architecture of WezRat has evolved over time, featuring separate modules that can be retrieved from a command and control (C&C) server. Recent analysis revealed partial source code for WezRat’s backend, indicating that different individuals could be involved in its development and operation. This modular design has allowed WezRat to remain active for over a year without prior public analysis or attribution to any specific group.
The malware’s backend infrastructure has undergone multiple changes during its active period, gaining additional modules and functionalities. Notably, in mid-2023, Emennet Pasargad operated under the name Anzu Team, hacking a Swedish SMS service to disseminate messages related to Quran burnings. By December 2023, the group accessed a US-based IPTV streaming company to broadcast messages concerning the Israel-HAMAS conflict. Furthermore, in mid-2024, they launched a disinformation campaign aimed at Israeli athletes during the Summer Olympics.
Threat Mitigation and Protections
The joint advisory has attributed several malware hashes to Emennet Pasargad, tracked by CPR as WezRat. The malware collects a range of system information, including user profile path, local machine IP, computer name, and username. Initial network requests to the C&C server serve to register the infected machine and relay user information. The backdoor features a command retrieval loop, allowing it to receive commands from the C&C server, including updating sleep timers, adding additional C2 addresses, executing commands, downloading files, and keylogging.
WezRat employs basic string encryption for command communication and has identified five distinct DLL modules that execute specific commands. The persistence of WezRat is maintained through a registry key, ensuring the backdoor remains on the infected machine. Earlier versions of the malware had hardcoded C2 addresses and did not require a “password” for execution. The ongoing development of WezRat indicates a commitment to maintaining a versatile tool for cyber espionage, posing a significant threat to various entities across the US, Europe, and the Middle East.
Check Point Threat Emulation and Harmony Endpoint offer protections against the threats posed by WezRat. Indicators of Compromise (IOCs) and server addresses associated with the malware have been provided to aid in detection and mitigation efforts.
Original Source: Read the Full Article Here
