A newly discovered remote access trojan and information stealer that Iranian state-sponsored attackers employ to survey compromised endpoints and carry out malicious orders has been made public by cybersecurity experts.
The malware has been identified in the wild since at least September 1, 2023, according to artefacts posted to the VirusTotal website, and the cybersecurity firm Check Point has dubbed it WezRat.
“WezRat can execute commands, take screenshots, upload files, perform keylogging, and steal clipboard content and cookie files,” according to a technical report. “Some functions are performed by separate modules retrieved from the command and control (C&C) server in the form of DLL files, making the backdoor’s main component less suspicious.”
Cotton Sandstorm, an Iranian hacker collective best known by the cover names Emennet Pasargad and, more recently, Aria Sepehr Ayandehsazan (ASA), is thought to be the creator of WezRat.
U.S. and Israeli cybersecurity officials initially reported the malware late last month, characterising it as a “exploitation tool for gathering information about an end point and running remote commands.”
According to government officials, trojanized Google Chrome installers (“Google Chrome Installer.msi”) are used in attack chains. These installers not only install the genuine Chrome web browser but are also set up to run a second program called “Updater.exe” (also known internally as “bd.exe”).
For its part, the malware-laced executable is made to collect system data and connect to a command-and-control (C&C) server (“connect.il-cert[.]net”) in order to wait for more commands.
According to Check Point, WezRat has been sent to a number of Israeli organisations in phishing emails that seem to be from the Israeli National Cyber Directorate (INCD). The October 21, 2024, emails, which came from the email address “alert@il-cert[.]net,” told recipients to apply a Chrome security update immediately.
“The backdoor is executed with two parameters: connect.il-cert.net 8765, which represents the C&C server, and a number used as a ‘password’ to enable the correct execution of the backdoor,” Check Point stated, adding that if the password is entered incorrectly, the malware may “execute an incorrect function or potentially crash.”
The malware can add a second C&C server as a backup mechanism, upload and download files, take screenshots, record keystrokes, extract clipboard content, steal cookies from Chromium-based browsers, and run commands using cmd.exe thanks to the supported commands, which are carried out as additional DLL files downloaded from the server.
“The earlier versions of WezRat had hard-coded C&C server addresses and didn’t rely on ‘password’ argument to run,” Check Point stated. “At first, WezRat operated more like a straightforward remote access trojan with simple commands. Other functions, such the ability to take screenshots and a keylogger, were added over time and managed as distinct commands.
Additionally, the company’s examination of the malware and its backend architecture indicates that WezRat’s creation and operations are the work of at least two distinct teams.
“The ongoing development and refinement of WezRat indicates a dedicated investment in maintaining a versatile and evasive tool for cyber espionage,” it stated.
“Emennet Pasargad’s activities target various entities across the United States, Europe, and the Middle East, posing a threat not only to direct political adversaries but also to any group or individual with influence over Iran’s international or domestic narrative.”