Targeted Iranian Attacks Against Iraqi Government Infrastructure

Sept. 12, 2024, 8:24 a.m.

Description

Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows connections to previously known APT34 malware families like Karkoff, Saitama, and IIS Group 2, which are associated with Iranian intelligence services. The campaign features unique command and control mechanisms and tailored infrastructure for specific targets. The initial infection vector likely involved social engineering, with malware disguised as document attachments. The actors demonstrated sophisticated techniques to evade detection and maintain persistence within compromised networks.

Date

Published: Sept. 12, 2024, 8:21 a.m.

Created: Sept. 12, 2024, 8:21 a.m.

Modified: Sept. 12, 2024, 8:24 a.m.

Indicators

e733b9444106ca37c3ef9e207ac6c813b787614496b275c1a455fccc3aca1c4a

9793ea98b7fbd43f0a7273594d7b4e53338048c651c33fbfdbeb1cc275957996

a9c92b29ee05c1522715c7a2f9c543740b60e36373cb47b5620b1f3d8ad96bfa

3ab29bc71ddd272f33f17c5108c044a570610c06ccba16cde1a4aa67b1524a8b

91.132.95.117

37.1.213.152

206.206.123.176

194.68.32.114

185.76.78.177

151.236.17.231

Attack Patterns

CacheHttp

Spearal

Veaty

APT34

T1090.004

T1071.004

T1543.003

T1048

T1132.001

T1573.001

T1059.001

T1567

T1071.001

T1105

T1003

Additional Informations

Government

Iraq