Cyber researchers discovered on a new remote access trojan and information stealer used by Iranian state-sponsored actors to conduct reconnaissance of compromised endpoints and execute malicious commands.
The malware was first documented late last month by U.S. and Israeli cybersecurity agencies, describing it as an “exploitation tool for gathering information about an end point and running remote commands.”
Cybersecurity company Check Point has codenamed the malware WezRat, stating it has been detected in the wild since at least September 1, 2023, based on artifacts uploaded to the VirusTotal platform.
“WezRat can execute commands, take screenshots, upload files, perform keylogging, and steal clipboard content and cookie files,” it said in a technical report. “Some functions are performed by separate modules retrieved from the command and control (C&C) server in the form of DLL files, making the backdoor’s main component less suspicious.”
WezRat is assessed to be the work of Cotton Sandstorm, an Iranian hacking group that’s better known under the cover names Emennet Pasargad and, more recently, Aria Sepehr Ayandehsazan (ASA).
The FBI, US Department of Treasury, and Israeli National Cybersecurity Directorate (INCD) jointly released a Cybersecurity Advisory on October 30th.
Cybersecurity analysts at Check Point observed that the cybersecurity advisory highlights the Emennet Pasargad’s recent operations:-
- Mid-2023: Hacked a Swedish SMS service to distribute messages related to Quran burnings
- December 2023: Compromised a US-based IPTV streaming company to broadcast messages about the Israel-HAMAS conflict
- Mid-2024: Launched a cyber-enabled disinformation campaign during the Summer Olympics, targeting Israeli athletes
Check Point Research has identified the latest version of WezRat being distributed through a large-scale phishing campaign impersonating the INCD and targeting Israeli organizations.
