Spotlight on Iranian Cyber Group Emennet Pasargad’s Malware
Executive Summary
- On October 21, 2024, multiple emails impersonating the Israeli National Cyber Directorate (INCD) were sent to various Israeli organizations from the fraudulent address. These emails warned recipients of the urgent necessity to update their Chrome browser.
- In a joint Cyber Security Advisory, the FBI, the U.S. Department of the Treasury, and the Israeli National Cybersecurity Directorate (INCD) attributed the malware, dubbed WezRat by Check Point Research, used in the campaign to the Iranian cyber group Emennet Pasargad. This group is responsible for several different cyber operations conducted in the United States, France, Sweden, and Israel.
- Check Point Research provides a technical analysis of the malware that has been active for over a year, though it has never been publicly analyzed.
- Check Point research uncovers that the newest version of WezRat can execute commands, take screenshots, upload files, perform keylogging, and steal clipboard content and cookie files.
Check Point Research delved into the custom modular infostealer known as WezRat after the FBI, the US Department of Treasury, and the Israeli National Cybersecurity Directorate issued a joint Cybersecurity Advisory about the campaign. The latest version of WezRat was recently distributed to multiple Israeli organizations in a wave of emails impersonating the Israeli National Cyber Directorate (INCD). In the advisory, the attack was attributed to the Iranian cyber group Emennet Pasargad, a group already notorious for its alarming cyber operations across the globe, including attacks on targets in the US, France, Sweden, and Israel.
This post will explore the capabilities of WezRat, the implications of its modular design, and the ongoing investigations into its origin and operation.
The History of Cyber Group Emennet Pasargad
Cyber defense organizations have monitored the Iranian cyber group Emennet Pasargad for several years. The group has operated under numerous names and is connected to the Iranian Islamic Revolutionary Guard Corps (IRGC). Historically, Emennet Pasargad has conducted operations that have affected multiple countries, including the United States, France, Israel, and Sweden.
The following is a timeline of some of these activities:
- On October 20, 2021, a grand jury in New York indicted two Iranian nationals linked to Emennet Pasargad on charges of hacking, fraud, voter intimidation, interstate threats, and conspiracy stemming from their alleged involvement in a scheme to disrupt the 2020 U.S. Presidential Election.
- In mid-2023, a group operating under the Anzu Team hacked a Swedish SMS service and sent messages calling for revenge against those responsible for the Quran burnings that occurred throughout the year.
- In December 2023, the group operated under the name “For-Humanity” obtained unauthorized access to a U.S.-based IPTV streaming service to transmit customized messages related to the Israel-HAMAS conflict.
- In mid-2024, the group launched a disinformation campaign during the Summer Olympics by hacking a French display provider to project anti-Israeli images and send threats to Israeli athletes, masquerading as the far-right group Regiment GUD, which impersonated the real French group GUD.
- In 2023 and 2024, the group conducted various influence operations in Israel using cover identities like Cyber Flood, Contact-HSTG, and Cyber Court.
Emennet Pasargad Continues to Enhance WezRat Version
On October 21, 2024, numerous emails impersonating the Israeli National Cyber Directorate (INCD) were dispatched to Israeli organizations. These messages, originating from a fake email address, urged recipients to update their Chrome browser immediately.
The custom infostealer was identified in a joint Cybersecurity Advisory by the FBI, the US Department of Treasury, and the INCD and was attributed to Emennet Pasargad.
Check Point Research Analyzes the Malware
Once identified, Check Point Research tracked and analyzed the custom infostealer, naming it WezRat. Earlier versions of WezRat date back to August 2023 and are also attributed to the same group, Emennet Pasargad.
The phishing email contained a link to the legitimate INCD site that redirected to a fake site. When victims clicked the link, they downloaded a file that included the genuine Google Chrome installer but also created a backdoor. This backdoor was executed with specific instructions, and a registry entry named “Chrome Updater” was added for future execution.
The phishing email contained a link that seemed to direct users to the official INCD site, but it led to a deceptive lookalike domain. Once there, victims would automatically download a file named “Google Chrome Installer,” after which they would be redirected to the genuine INCD website.
The downloaded package, Google Chrome Installer, contained the legitimate Google Chrome installer and related files, but it also contained the latest version of WezRat, a backdoor named Updater.exe.
Analysis by Check Point Research revealed that WezRat can execute commands, take screenshots, upload files, perform keylogging, and steal clipboard content and cookie files. Certain functions are executed by individual modules downloaded from the command and control (C&C) server in the form of DLL files, making the backdoor’s primary component appear less suspicious. Further analysis uncovered partial source code for the WezRat backend. Upon investigation, Check Point Research found evidence suggesting that different groups may be responsible for the malware- one group for development and another for operation of WezRat. Typically, one attacker develops and operates the tool, but in this case, it is clear that an organization with both development and operational departments is behind the malware.
Enhancing Cybersecurity: The Evolving Threat Landscape and Proactive Defenses
The continuous enhancement and improvement of WezRat demonstrate a strong commitment to maintaining a flexible and elusive framework for cyber espionage. Emennet Pasargad’s operations target a range of targets in the United States, Europe, and the Middle East, posing risks not only to direct political opponents but also to any individual or group that shapes Iran’s international or domestic narrative.
Check Point Threat Emulation and Harmony Endpoint deliver robust protection against diverse attack tactics, file types, and operating systems, defending against various threats as detailed in this report. Threat Emulation evaluates files to identify malicious behavior before infiltrating an end user’s network, effectively detecting unknown threats and zero-day vulnerabilities. When integrated with Harmony Endpoint, which conducts real-time file analysis, Threat Emulation reviews each file, enabling users to access a secure version almost instantly while the original file is thoroughly examined. This proactive approach enhances security by providing quick access to safe content and systematically identifying and mitigating potential threats, thereby safeguarding the integrity of the network.
For a comprehensive analysis of WezRat, read Check Point Researcher’s in-depth report here.
Protection names:
Harmony Endpoint
- Win.FakeChrome.B
Threat Emulation
- Wins.FakeUpdater.A