Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows connections to previously known APT34 malware families like Karkoff, Saitama, and IIS Group 2, which are associated with Iranian intelligence services. The campaign features unique command and control mechanisms and tailored infrastructure for specific targets. The initial infection vector likely involved social engineering, with malware disguised as document attachments. The actors demonstrated sophisticated techniques to evade detection and maintain persistence within compromised networks. Author: AlienVault
Related Tags:
email c2
CacheHttp
Spearal
Veaty
T1071.004
iran
T1573.001
T1132.001
T1090.004
Associated Indicators:
3AB29BC71DDD272F33F17C5108C044A570610C06CCBA16CDE1A4AA67B1524A8B
9793EA98B7FBD43F0A7273594D7B4E53338048C651C33FBFDBEB1CC275957996
E733B9444106CA37C3EF9E207AC6C813B787614496B275C1A455FCCC3ACA1C4A
481543A5985B947989691C01C478721AED5B0F2D
A9143B0FC38B6329D5DFBFFC4AA91B5F57211DA0
E2EAA585E69150029487080E445E1240D918ED1D
66BD8DB40F4169C7F0FCA3D5D15C978EFE143CF8
D56B5FD6B8976C91D2537D155926AFFF
2BADDE184D78ED901B4B2282B285717C