Cyber Security News

Threat Actors Using New Malware Toolkit That Involves IIS Backdoor, DNS Tunneling

The Iranian threat actor APT34, also known as GreenBug, has recently launched a new campaign targeting Iraqi government entities by employing a custom toolset, including a novel IIS backdoor and DNS tunneling protocol. 

The malware used in this campaign shares similarities with previously reported APT34 malware families, such as Karkoff, Saitama, and IIS Group 2. 

The threat actor’s use of compromised email accounts within the targeted organizations highlights their ability to infiltrate victim networks effectively, which strongly suggests a connection between this campaign and APT34’s ongoing activities in the region.

The installer used to deploy the Spearal malware bears the Iraqi General Secretariat of the Council of Ministers logo.

A Spearal malware campaign employs a multi-stage infection process, beginning with social engineering tactics to deliver malicious files disguised as document attachments, such as Avamer.pdf.exe and ncms_demo.msi, and execute PowerShell or Pyinstaller scripts to deploy the malware and its configuration. 

The scripts manipulate file timestamps and add registry entries for persistence, while the malware’s configuration file, structured as an XML file with base64-encoded keys and values, contains essential parameters for the malware’s operation.

Spearal Config (decoded)

Spearal and Veaty are malicious backdoors written in .NET, where Spearal uses DNS tunneling for communication, hiding data within subdomain queries to a C2 server, while Veaty leverages compromised email accounts for C2, bypassing security by disabling certificate verification during communication with the Exchange server. 

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Both backdoors can execute commands, upload/download files, and facilitate attacker control. Spearal uses a custom Base32 encoding scheme for data transmission, while Veaty relies directly on email content.

The infection chain installing Veaty malware

The malware Veaty uses email for C2 communication, which creates a rule to move emails with a specific string in the subject line (e.g., “PMO”) to a designated folder (e.g., “deletedItems”) by sending “alive” messages to a configured recipient at a set interval and searches for command emails in the C2 mailbox. 

It can be to download files, upload files, or execute commands and is encrypted with a key from the configuration file.

The malware sends results back to the C2 server in the same format as the command emails (attachment or body) depending on a configuration value. 

Example of an Alive message

APT34, a threat actor group, has been targeting Iraqi government entities with a combination of malware families, including Veaty, Spearal, and an IIS backdoor variant named CacheHttp.dll. 

Veaty and Spearal malware use compromised email accounts to send commands and communicate through email tunneling or DNS tunneling.

CacheHttp.dll is a newer version of the IIS Group2 backdoor with additional functionalities and communicates through encrypted cookies. 

HTTP Listener Malware

According to CheckPoint, the communication methods and code similarities between CacheHttp.dll, IIS Group2, and RGDoor (another APT34 backdoor) suggest they might be variants of the same tool.  

A cyberespionage campaign targeting Iraqi government infrastructure utilized custom tools and C2 infrastructure linked to the Iranian APT34 group, where the attackers deployed a custom DNS tunneling protocol and compromised email accounts for C2 communication. 

It fits with APT34’s strategy of using both simple tools and complex C2 mechanisms, like the Veaty and Spearal malware, along with a passive IIS backdoor. This campaign is also linked to APT34’s known methods.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…

1 day ago

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…

2 days ago

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…

2 days ago

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…

2 days ago

Raspberry Robin Employs TOR Network For C2 Servers Communication

Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…

2 days ago

145,000 ICS Systems, Thousands of HMIs Exposed to Cyber Attacks

Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…

2 days ago