One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8614872 |
| Date de publication | 2024-11-20 16:15:55 (vue: 2024-11-20 17:08:31) |
| Titre | Malware Spotlight: A Deep-Dive Analysis of WezRat |
| Texte | ## Snapshot Check Point Research (CPR) conducted an in-depth analysis of WezRat, a custom modular infostealer attributed to the Iranian cyber group Emennet Pasargad (tracked by Microsoft as [Cotton Sandstorm](https://security.microsoft.com/intel-profiles/ecc605ea0b003737e9d5280fe1b1320c2eb56ce4e7e984d442939af56f310815)). ## Description Analysis of the malware versions led to the discovery of partial source code for the backend of WezRat. The malware was recently highlighted in a joint Advisory by the FBI, the US Department of Treasury, and the Israeli National Cybersecurity Directorate (INCD). The joint Cybersecurity Advisory regarding recent activities of the Iranian cyber group Emennet Pasargad, attributed the malware to the Iranian cyber group Emennet Pasargad, known for conducting cyber operations targeting the US, France, Sweden, and Israel. The group is most recently operating under the name Aria Sepehr Ayandehsazan (ASA) and is affiliated with the Iranian Islamic Revolutionary Guard Corps (IRGC). The advisory details operations that have impacted various countries. In mid-2023, the group, operating under the Anzu Team persona, hacked a Swedish SMS service and distributed messages calling for the revenge of those responsible for the Quran burnings that took place throughout the year. In December 2023, the group operating as For-Humanity, gained unauthorized access to a U.S.-based IPTV streaming company to broadcast tailored messages regarding the Israel-HAMAS conflict. In mid-2024, the group launched a cyber-enabled disinformation campaign during the Summer Olympics. They hacked a French display provider to show images denouncing the participation of Israeli athletes. Additionally, they sent threats to Israeli athletes under the banner of the fake far-right group Regiment GUD, impersonating the actual French group GUD. Throughout 2023 and 2024, the group carried out multiple influence operations in Israel using various cover personas, including Cyber Flood, Contact-HSTG, and Cyber Court. The latest version of WezRat was recently distributed to multiple Israeli organizations in a wave of emails impersonating the Israeli National Cyber Directorate (INCD). The malware can execute commands, take screenshots, upload files, perform keylogging, and steal clipboard content and cookie files. Some functions are performed by separate modules retrieved from the command and control (C2) server in the form of DLL files, making the backdoor\'s main component less suspicious. Analysis of the malware versions led to the discovery of partial source code for the backend of WezRat. Further investigation of WezRat and its backend suggests that different individuals may be responsible for its development and operation. ## Microsoft Analysis and Additional OSINT Context [According to the Microsoft Threat Analysis Center (MTAC)](https://blogs.microsoft.com/on-the-issues/2023/05/02/dtac-iran-cyber-influence-operations-digital-threat/), Cotton Sandstorm has been observed leveraging cyber-enabled influence operations in addition to its traditional cyberattacks. Cotton Sandstorm has been operating under the Iranian limited liability company Emennet Pasargad, also referred to more recently as Aria Sepehr Ayandehsazan (ASA), since August 2020 when they ran an election interference campaign impacting the United States. Cotton Sandstorm operators also created the Anzu Team persona in order to dox Sweden, specifically high ranking government officials. MTAC tracks Anzu Team and has reported on their email based influence operations campaign in the summer of 2023. The email campaign extended beyond Sweden to other countries that had Quranic desecrations this year, other countries in the Scandanavian region (e.g., Norway, Finland, Aland Islands, which are islands between Sweden and Finland), and other Western countries that are Iranian adversaries. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of activity associated with Cotton Sandstorm\'s operations. |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | **© 2020 2023 2024 2024** 365 365/anti 365/attack 365/safe 365/security/defender 365/security/defender/microsoft 365/zero about accelerates access accessed according acquired across action activities activity actors actual addition additional additionally advanced adversaries advisory affiliated against age aland alert alerts all already also analysis anti antivirus any anzu applications apps are aria artifacts asa associated athletes attachments attack attacker attacks attributed august auto automated automatically ayandehsazan backdoor backend banner based been behind between beyond block blocks breach breaches broadcast browsers burnings calling campaign campaigns can carried center centralizing changes check checkpoint child click clicking client clipboard cloud code com/2024/wezrat com/defender com/deployedge/microsoft com/en com/exchange/exchange com/intel com/microsoft com/on com/security/business/cloud command commands common company component conducted conducting configuration configure conflict contact content context continuously control cookie copyright corps cotton countries court cover cpr created creating credential credentials criterion custom customers cyber cyberattacks cybersecurity data december deep defender delivered dender denouncing department depth description desecrations details detect detected detection development devices different digital directorate disclosing discovers discovery disinformation display distributed distribution dive dive/ dll does downloaded dox during easm edge edr efforts election email emails emennet enable enabled encourage end endpoint endpoint/attack endpoint/automated endpoint/cloud endpoint/configure endpoint/detect endpoint/edr endpoint/enable endpoint/network endpoint/prevent endpoint/web ensure environment eop equivalent even evolving exchange executable execute extended external fake far fbi files finland flood flow following form france french from full functions further gained generate get given government group guard gud hacked had hamas harvest has have help high highlighted highlights host hour hstg https://blogs https://learn https://products https://research https://security https://www humanity identifies identify identities images immediate impact impacted impacting impersonating inbound incd incident including incoming individuals influence infostealer infrastructure insights intelligence interference inventories invest investigation investigations iptv iran iranian irgc islamic islands israel israeli issues/2023/05/02/dtac its javascript joint joint key keylogging known latest launched launching learndoc#block learndoc#how learning led less let leverage leverages leveraging liability limited links list locations machine mail mailboxes main majority making malicious malware manage management management/defender maps may mdo meet merges messages microsoft mid mitigations mode modular modules monitor more most mtac multiple name national network neutralize new newly non norway not observed occurs ocid=magicti office officials olympics online operating operation operations operators order organization organizations osint other out overview part partial participation pasargad passive password perform performed permission persona personas phishing place point post potentially prevalence prevent processes product profiles/ecc605ea0b003737e9d5280fe1b1320c2eb56ce4e7e984d442939af56f310815 prohibited protect protection protections provide provider provides pua purge quarantine quran quranic ran ranking ransomware rapidly real realistic recent recently recheck recommendations recommends reduce reducing reduction reference references referred regarding regiment region regular remediate remediation repeat: reported reporting reproduction research reserved resolve response responsible retrieved retroactively revenge revolutionary rewriting right rights rinse risks rules run running safe sandstorm scam scan scandanavian scanning scenes screenshots security security/microsoft sent separate sepehr server service settings sharepoint show significantly simulated si |
| Tags | Spam Malware Tool Vulnerability Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.