In a concerning development for cybersecurity in the Middle East, Iraqi government networks have fallen victim to an elaborate cyber attack campaign orchestrated by OilRig, a state-sponsored threat actor associated with Iran’s regime. This sophisticated operation, uncovered by cybersecurity firm Check Point, targeted high-profile Iraqi organizations, including the Prime Minister’s Office and the Ministry of Foreign Affairs.
OilRig, also known by various aliases such as APT34, Crambus, Cobalt Gypsy, and Helix Kitten, is a notorious cyber group linked to the Iranian Ministry of Intelligence and Security (MOIS). The group’s activities, dating back to at least 2014, have predominantly focused on conducting phishing attacks across the Middle East to deploy an array of custom backdoors for information theft.
In this latest campaign, the Iranian regime’s cyber operatives have introduced two new malware families dubbed Veaty and Spearal. These sophisticated tools are designed to execute PowerShell commands and harvest files of interest, demonstrating the evolving capabilities of Iran’s cyber arsenal.
What sets this attack apart is the employment of unique command-and-control (C2) mechanisms, including a custom DNS tunneling protocol and a tailor-made email-based C2 channel. The latter utilizes compromised email accounts within the targeted organizations, indicating that the Iranian regime’s hackers had already successfully infiltrated the victim’s networks prior to launching the main attack.
The attack chain begins with deceptive files masquerading as harmless documents, such as “Avamer.pdf.exe” or “IraqiDoc.docx.rar”. When unsuspecting users launch these files, they trigger the deployment of Veaty and Spearal. This infection pathway likely involved social engineering tactics, a common method employed by Iran’s regime in its cyber operations.
Spearal, a .NET backdoor, employs DNS tunneling for C2 communication, encoding data in the subdomains of DNS queries using a custom Base32 scheme. Its capabilities include executing PowerShell commands, reading and transmitting file contents, and retrieving data from the C2 server.
Veaty, also written in .NET, leverages compromised email accounts for C2 communications, specifically targeting mailboxes within the gov-iq.net domain. This malware can upload and download files, as well as run PowerShell scripts, providing the Iranian regime’s hackers with extensive control over infected systems.
Further investigation by Check Point revealed additional components of the Iranian regime’s cyber toolkit, including an SSH tunneling backdoor and an HTTP-based backdoor named CacheHttp.dll. The latter targets Microsoft’s Internet Information Services (IIS) servers, representing an evolution of previously identified APT34 malware.
This campaign against Iraqi government infrastructure underscores the persistent and focused efforts of Iranian regime-backed threat actors operating in the region. The deployment of custom protocols and specialized C2 mechanisms highlights the deliberate effort by Iran’s cyber operatives to develop and maintain advanced attack capabilities.
The sophistication of this attack serves as a stark reminder of the evolving cyber threats faced by governments and organizations in the Middle East. It emphasizes the need for robust cybersecurity measures and continuous vigilance against state-sponsored cyber operations, particularly those originating from Iran’s regime.
As tensions in the region continue to simmer, it is likely that such cyber campaigns will persist and potentially escalate. The international community must remain alert to these digital threats and work collaboratively to strengthen cyber defenses against state-sponsored attacks, especially those orchestrated by Iran’s regime and other hostile actors in the region.
