| Key Detail | Information |
|---|---|
| Threat Actors | Emennet Pasargad (affiliated with IRGC), operating under aliases such as Aria Sepehr Ayandehsazan (ASA), Anzu Team, For-Humanity, and Regiment GUD. |
| Campaign Overview | Iranian cyber group Emennet Pasargad has been using the WezRat backdoor for espionage and influence operations since mid-2023. Their operations target various countries, including the US, France, Israel, and Sweden. The group has conducted campaigns involving disinformation, hacking, and infostealer attacks. |
| Target Regions (Or Victims) | United States, France, Israel, Sweden, and various entities with influence over Iran’s international or domestic narrative. |
| Methodology | Spear-phishing emails impersonating official organizations (e.g., INCD), fake updates (e.g., fake Chrome update), deploying MSI files containing backdoors (e.g., Updater.exe) to infect victims. The malware is distributed via fake domains and phishing campaigns targeting Israeli organizations. |
| Product Targeted | Google Chrome (via fake update), Israeli organizations, various international entities with political influence. |
| Malware Reference | WezRat (custom infostealer), also observed with different obfuscation techniques (OLLV). |
| Tools Used | Phishing campaigns, fake update mechanisms, MSI installers, DLLs (SPITP.dll, TaskFlowUi.dll, JumpViewUi.dll, clp.dll, persist.dll), and custom malware backdoors. |
| Vulnerabilities Exploited | Social engineering via phishing emails and fake update links, manipulation of C2 communications, and leveraging DLL injection for command execution and persistence. |
| TTPs | Phishing, fake update campaign, DLL-based malware deployment, persistence through registry keys, data exfiltration (e.g., clipboard data, screenshots, keylogging), and C2 communication via HTTP(S) and raw socket communication in some versions. |
| Attribution | Emennet Pasargad (Iranian APT group, linked to IRGC), targeting adversaries and groups influencing Iranian politics and narratives. |
| Recommendations | Organizations should implement email filtering, user education, and behavioral detection to identify phishing attempts. Ensure endpoint protection (e.g., Check Point Threat Emulation, Harmony Endpoint) and keep software up to date to mitigate the risk of similar attacks. Ensure proper network segmentation. |
| Source | FBI, US Department of Treasury, Israeli National Cybersecurity Directorate (INCD), Check Point Research. |
Read full article: Read More
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply