Focus Mode
Threat Research

Malware Spotlight: In-Depth Analysis of WezRat

Checkpoint

Summary:

Check Point Research (CPR) analyzes WezRat, a custom modular infostealer attributed to the Iranian cyber group Emennet Pasargad. The malware, which has been active for over a year, was recently distributed via phishing emails impersonating the Israeli National Cyber Directorate. WezRat can execute various commands, including keylogging and file uploads, and has evolved significantly over time.

Keypoints:

  • WezRat is a custom modular infostealer linked to the Iranian cyber group Emennet Pasargad.
  • The malware has been active for over a year and has not been publicly analyzed until now.
  • Recent phishing campaigns impersonated the Israeli National Cyber Directorate to distribute WezRat.
  • WezRat can execute commands, take screenshots, perform keylogging, and steal clipboard content.
  • The malware architecture has evolved, with additional modules and backend infrastructure changes.
  • WezRat’s backend was partially analyzed, revealing potential separate developers and operators.
  • The malware uses a command and control (C&C) server for communication and command execution.
  • Various DLL modules are utilized for specific functionalities, enhancing the malware’s stealth and capability.
  • Check Point provides protective measures against the threats posed by WezRat.

MITRE Techniques

  • Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
  • Credential Dumping (T1003): Collects user credentials from the infected system.
  • Data Encrypted (T1022): Encrypts data before exfiltration to evade detection.
  • Exploitation of Remote Services (T1210): Exploits vulnerabilities in remote services to gain access.
  • Phishing (T1566): Uses deceptive emails to trick users into downloading malware.

IoC:

  • [domain] il-cert[.]net
  • [domain] connect.il-cert[.]net
  • [ip address] 46.249.58[.]136
  • [email] alert@il-cert[.]net
  • [file name] Google Chrome Installer.msi
  • [file hash] 6b0d7b2e422a93e81ceed3645d36dd40

Full Research: https://research.checkpoint.com/2024/wezrat-malware-deep-dive/

Tags: PHISHING, EMAIL, EXFILTRATION, CREDENTIAL