Saturday, January 25, 2025
HomeCyber Security NewsThreat Actors Using New Malware Toolkit That Involves IIS Backdoor, DNS Tunneling

Threat Actors Using New Malware Toolkit That Involves IIS Backdoor, DNS Tunneling

Published on

SIEM as a Service

Follow Us on Google News

The Iranian threat actor APT34, also known as GreenBug, has recently launched a new campaign targeting Iraqi government entities by employing a custom toolset, including a novel IIS backdoor and DNS tunneling protocol. 

The malware used in this campaign shares similarities with previously reported APT34 malware families, such as Karkoff, Saitama, and IIS Group 2. 

The threat actor’s use of compromised email accounts within the targeted organizations highlights their ability to infiltrate victim networks effectively, which strongly suggests a connection between this campaign and APT34’s ongoing activities in the region.

The installer used to deploy the Spearal malware bears the Iraqi General Secretariat of the Council of Ministers logo.

A Spearal malware campaign employs a multi-stage infection process, beginning with social engineering tactics to deliver malicious files disguised as document attachments, such as Avamer.pdf.exe and ncms_demo.msi, and execute PowerShell or Pyinstaller scripts to deploy the malware and its configuration. 

The scripts manipulate file timestamps and add registry entries for persistence, while the malware’s configuration file, structured as an XML file with base64-encoded keys and values, contains essential parameters for the malware’s operation.

Spearal Config (decoded)

Spearal and Veaty are malicious backdoors written in .NET, where Spearal uses DNS tunneling for communication, hiding data within subdomain queries to a C2 server, while Veaty leverages compromised email accounts for C2, bypassing security by disabling certificate verification during communication with the Exchange server. 

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Both backdoors can execute commands, upload/download files, and facilitate attacker control. Spearal uses a custom Base32 encoding scheme for data transmission, while Veaty relies directly on email content.

The infection chain installing Veaty malware

The malware Veaty uses email for C2 communication, which creates a rule to move emails with a specific string in the subject line (e.g., “PMO”) to a designated folder (e.g., “deletedItems”) by sending “alive” messages to a configured recipient at a set interval and searches for command emails in the C2 mailbox. 

It can be to download files, upload files, or execute commands and is encrypted with a key from the configuration file.

The malware sends results back to the C2 server in the same format as the command emails (attachment or body) depending on a configuration value. 

Example of an Alive message

APT34, a threat actor group, has been targeting Iraqi government entities with a combination of malware families, including Veaty, Spearal, and an IIS backdoor variant named CacheHttp.dll. 

Veaty and Spearal malware use compromised email accounts to send commands and communicate through email tunneling or DNS tunneling.

CacheHttp.dll is a newer version of the IIS Group2 backdoor with additional functionalities and communicates through encrypted cookies. 

HTTP Listener Malware

According to CheckPoint, the communication methods and code similarities between CacheHttp.dll, IIS Group2, and RGDoor (another APT34 backdoor) suggest they might be variants of the same tool.  

A cyberespionage campaign targeting Iraqi government infrastructure utilized custom tools and C2 infrastructure linked to the Iranian APT34 group, where the attackers deployed a custom DNS tunneling protocol and compromised email accounts for C2 communication. 

It fits with APT34’s strategy of using both simple tools and complex C2 mechanisms, like the Veaty and Spearal malware, along with a passive IIS backdoor. This campaign is also linked to APT34’s known methods.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...