Cyber Security News

Threat Actors Using New Malware Toolkit That Involves IIS Backdoor, DNS Tunneling

The Iranian threat actor APT34, also known as GreenBug, has recently launched a new campaign targeting Iraqi government entities by employing a custom toolset, including a novel IIS backdoor and DNS tunneling protocol. 

The malware used in this campaign shares similarities with previously reported APT34 malware families, such as Karkoff, Saitama, and IIS Group 2. 

The threat actor’s use of compromised email accounts within the targeted organizations highlights their ability to infiltrate victim networks effectively, which strongly suggests a connection between this campaign and APT34’s ongoing activities in the region.

The installer used to deploy the Spearal malware bears the Iraqi General Secretariat of the Council of Ministers logo.

A Spearal malware campaign employs a multi-stage infection process, beginning with social engineering tactics to deliver malicious files disguised as document attachments, such as Avamer.pdf.exe and ncms_demo.msi, and execute PowerShell or Pyinstaller scripts to deploy the malware and its configuration. 

The scripts manipulate file timestamps and add registry entries for persistence, while the malware’s configuration file, structured as an XML file with base64-encoded keys and values, contains essential parameters for the malware’s operation.

Spearal Config (decoded)

Spearal and Veaty are malicious backdoors written in .NET, where Spearal uses DNS tunneling for communication, hiding data within subdomain queries to a C2 server, while Veaty leverages compromised email accounts for C2, bypassing security by disabling certificate verification during communication with the Exchange server. 

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Both backdoors can execute commands, upload/download files, and facilitate attacker control. Spearal uses a custom Base32 encoding scheme for data transmission, while Veaty relies directly on email content.

The infection chain installing Veaty malware

The malware Veaty uses email for C2 communication, which creates a rule to move emails with a specific string in the subject line (e.g., “PMO”) to a designated folder (e.g., “deletedItems”) by sending “alive” messages to a configured recipient at a set interval and searches for command emails in the C2 mailbox. 

It can be to download files, upload files, or execute commands and is encrypted with a key from the configuration file.

The malware sends results back to the C2 server in the same format as the command emails (attachment or body) depending on a configuration value. 

Example of an Alive message

APT34, a threat actor group, has been targeting Iraqi government entities with a combination of malware families, including Veaty, Spearal, and an IIS backdoor variant named CacheHttp.dll. 

Veaty and Spearal malware use compromised email accounts to send commands and communicate through email tunneling or DNS tunneling.

CacheHttp.dll is a newer version of the IIS Group2 backdoor with additional functionalities and communicates through encrypted cookies. 

HTTP Listener Malware

According to CheckPoint, the communication methods and code similarities between CacheHttp.dll, IIS Group2, and RGDoor (another APT34 backdoor) suggest they might be variants of the same tool.  

A cyberespionage campaign targeting Iraqi government infrastructure utilized custom tools and C2 infrastructure linked to the Iranian APT34 group, where the attackers deployed a custom DNS tunneling protocol and compromised email accounts for C2 communication. 

It fits with APT34’s strategy of using both simple tools and complex C2 mechanisms, like the Veaty and Spearal malware, along with a passive IIS backdoor. This campaign is also linked to APT34’s known methods.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Indonesia Government Data Breach – Hackers Leaked 82 GB of Sensitive Data Online

Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from the Indonesian…

3 hours ago

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating system…

4 hours ago

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability in Apache…

5 hours ago

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber espionage…

5 hours ago

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

2 days ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

2 days ago