Targeted Iranian Attacks Against Iraqi Government Infrastructure
Sept. 12, 2024, 8:24 a.m.
Tags
External References
Description
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows connections to previously known APT34 malware families like Karkoff, Saitama, and IIS Group 2, which are associated with Iranian intelligence services. The campaign features unique command and control mechanisms and tailored infrastructure for specific targets. The initial infection vector likely involved social engineering, with malware disguised as document attachments. The actors demonstrated sophisticated techniques to evade detection and maintain persistence within compromised networks.
Date
Published: Sept. 12, 2024, 8:21 a.m.
Created: Sept. 12, 2024, 8:21 a.m.
Modified: Sept. 12, 2024, 8:24 a.m.
Indicators
e733b9444106ca37c3ef9e207ac6c813b787614496b275c1a455fccc3aca1c4a
9793ea98b7fbd43f0a7273594d7b4e53338048c651c33fbfdbeb1cc275957996
a9c92b29ee05c1522715c7a2f9c543740b60e36373cb47b5620b1f3d8ad96bfa
3ab29bc71ddd272f33f17c5108c044a570610c06ccba16cde1a4aa67b1524a8b
91.132.95.117
37.1.213.152
206.206.123.176
194.68.32.114
185.76.78.177
151.236.17.231
mail.miicrosoft.com
spacenet.fun
mofaiq.com
gov-iq.net
iqwebservice.com
asiacall.net
Attack Patterns
CacheHttp
Spearal
Veaty
APT34
T1090.004
T1071.004
T1543.003
T1048
T1132.001
T1573.001
T1059.001
T1567
T1071.001
T1105
T1003
Additional Informations
Government
Iraq