Threat Actors Using New Malware Toolkit That Involves IIS Backdoor, DNS Tunneling

The Iranian threat actor APT34, also known as GreenBug, has recently launched a new campaign targeting Iraqi government entities by employing a custom toolset, including a novel IIS backdoor and DNS tunneling protocol. 

The malware used in this campaign shares similarities with previously reported APT34 malware families, such as Karkoff, Saitama, and IIS Group 2. 

The threat actor’s use of compromised email accounts within the targeted organizations highlights their ability to infiltrate victim networks effectively, which strongly suggests a connection between this campaign and APT34’s ongoing activities in the region.

A Spearal malware campaign employs a multi-stage infection process, beginning with social engineering tactics to deliver malicious files disguised as document attachments, such as Avamer.pdf.exe and ncms_demo.msi, and execute PowerShell or Pyinstaller scripts to deploy the malware and its configuration. 

The scripts manipulate file timestamps and add registry entries for persistence, while the malware’s configuration file, structured as an XML file with base64-encoded keys and values, contains essential parameters for the malware’s operation.

Spearal and Veaty are malicious backdoors written in .NET, where Spearal uses DNS tunneling for communication, hiding data within subdomain queries to a C2 server, while Veaty leverages compromised email accounts for C2, bypassing security by disabling certificate verification during communication with the Exchange server. 

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Both backdoors can execute commands, upload/download files, and facilitate attacker control. Spearal uses a custom Base32 encoding scheme for data transmission, while Veaty relies directly on email content.

The malware Veaty uses email for C2 communication, which creates a rule to move emails with a specific string in the subject line (e.g., “PMO”) to a designated folder (e.g., “deletedItems”) by sending “alive” messages to a configured recipient at a set interval and searches for command emails in the C2 mailbox. 

It can be to download files, upload files, or execute commands and is encrypted with a key from the configuration file.

The malware sends results back to the C2 server in the same format as the command emails (attachment or body) depending on a configuration value. 

APT34, a threat actor group, has been targeting Iraqi government entities with a combination of malware families, including Veaty, Spearal, and an IIS backdoor variant named CacheHttp.dll. 

Veaty and Spearal malware use compromised email accounts to send commands and communicate through email tunneling or DNS tunneling.

CacheHttp.dll is a newer version of the IIS Group2 backdoor with additional functionalities and communicates through encrypted cookies. 

According to CheckPoint, the communication methods and code similarities between CacheHttp.dll, IIS Group2, and RGDoor (another APT34 backdoor) suggest they might be variants of the same tool.  

A cyberespionage campaign targeting Iraqi government infrastructure utilized custom tools and C2 infrastructure linked to the Iranian APT34 group, where the attackers deployed a custom DNS tunneling protocol and compromised email accounts for C2 communication. 

It fits with APT34’s strategy of using both simple tools and complex C2 mechanisms, like the Veaty and Spearal malware, along with a passive IIS backdoor. This campaign is also linked to APT34’s known methods.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar