Site icon Check Point Blog

Spotlight on Iranian Cyber Group Emennet Pasargad’s Malware

Executive Summary

 

Check Point Research delved into the custom modular infostealer known as WezRat after the FBI, the US Department of Treasury, and the Israeli National Cybersecurity Directorate issued a joint Cybersecurity Advisory about the campaign. The latest version of WezRat was recently distributed to multiple Israeli organizations in a wave of emails impersonating the Israeli National Cyber Directorate (INCD). In the advisory, the attack was attributed to the Iranian cyber group Emennet Pasargad, a group already notorious for its alarming cyber operations across the globe, including attacks on targets in the US, France, Sweden, and Israel.

This post will explore the capabilities of WezRat, the implications of its modular design, and the ongoing investigations into its origin and operation.

 

The History of Cyber Group Emennet Pasargad

Cyber defense organizations have monitored the Iranian cyber group Emennet Pasargad for several years. The group has operated under numerous names and is connected to the Iranian Islamic Revolutionary Guard Corps (IRGC). Historically, Emennet Pasargad has conducted operations that have affected multiple countries, including the United States, France, Israel, and Sweden.

The following is a timeline of some of these activities:

 

Emennet Pasargad Continues to Enhance WezRat Version

On October 21, 2024, numerous emails impersonating the Israeli National Cyber Directorate (INCD) were dispatched to Israeli organizations. These messages, originating from a fake email address, urged recipients to update their Chrome browser immediately.

Example of a phishing email sent to Israeli organizations

The custom infostealer was identified in a joint Cybersecurity Advisory by the FBI, the US Department of Treasury, and the INCD and was attributed to Emennet Pasargad.

 

Check Point Research Analyzes the Malware

Once identified, Check Point Research tracked and analyzed the custom infostealer, naming it WezRat. Earlier versions of WezRat date back to August 2023 and are also attributed to the same group, Emennet Pasargad.

 

The phishing email contained a link to the legitimate INCD site that redirected to a fake site. When victims clicked the link, they downloaded a file that included the genuine Google Chrome installer but also created a backdoor. This backdoor was executed with specific instructions, and a registry entry named “Chrome Updater” was added for future execution.

The phishing email contained a link that seemed to direct users to the official INCD site, but it led to a deceptive lookalike domain. Once there, victims would automatically download a file named “Google Chrome Installer,” after which they would be redirected to the genuine INCD website.

The downloaded package, Google Chrome Installer, contained the legitimate Google Chrome installer and related files, but it also contained the latest version of WezRat, a backdoor named Updater.exe.

Infection chain delivering WezRAT

Analysis by Check Point Research revealed that WezRat can execute commands, take screenshots, upload files, perform keylogging, and steal clipboard content and cookie files. Certain functions are executed by individual modules downloaded from the command and control (C&C) server in the form of DLL files, making the backdoor’s primary component appear less suspicious. Further analysis uncovered partial source code for the WezRat backend. Upon investigation, Check Point Research found evidence suggesting that different groups may be responsible for the malware- one group for development and another for operation of WezRat. Typically, one attacker develops and operates the tool, but in this case, it is clear that an organization with both development and operational departments is behind the malware.

Enhancing Cybersecurity: The Evolving Threat Landscape and Proactive Defenses

The continuous enhancement and improvement of WezRat demonstrate a strong commitment to maintaining a flexible and elusive framework for cyber espionage. Emennet Pasargad’s operations target a range of targets in the United States, Europe, and the Middle East, posing risks not only to direct political opponents but also to any individual or group that shapes Iran’s international or domestic narrative.

Check Point Threat Emulation and Harmony Endpoint deliver robust protection against diverse attack tactics, file types, and operating systems, defending against various threats as detailed in this report. Threat Emulation evaluates files to identify malicious behavior before infiltrating an end user’s network, effectively detecting unknown threats and zero-day vulnerabilities. When integrated with Harmony Endpoint, which conducts real-time file analysis, Threat Emulation reviews each file, enabling users to access a secure version almost instantly while the original file is thoroughly examined. This proactive approach enhances security by providing quick access to safe content and systematically identifying and mitigating potential threats, thereby safeguarding the integrity of the network.

For a comprehensive analysis of WezRat, read Check Point Researcher’s in-depth report here.

Protection names:

Harmony Endpoint

Threat Emulation

Exit mobile version