The Iraqi government has recently become the target of a highly sophisticated cyberattack campaign orchestrated by the Iranian state-sponsored threat actor, OilRig. According to a new analysis from cybersecurity firm Check Point, the attacks specifically targeted high-profile organizations such as the Prime Minister's Office and the Ministry of Foreign Affairs.
OilRig, also known as APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm, and Helix Kitten, is a well-known Iranian cyber group linked to the Ministry of Intelligence and Security (MOIS). The group has been active since at least 2014, conducting phishing campaigns throughout the Middle East and deploying custom backdoors to steal information.
In this latest campaign, OilRig utilized two newly identified malware families, Veaty and Spearal, both equipped to execute PowerShell commands and steal sensitive files. The attack featured sophisticated command-and-control (C2) methods, including a custom DNS tunneling protocol and a unique email-based C2 channel. These C2 channels relied on compromised email accounts within the targeted organizations, indicating that OilRig had successfully infiltrated Iraqi government networks.
Check Point's analysis revealed that OilRig’s tactics, techniques, and procedures (TTPs) in this campaign were consistent with previous operations. The group has often used email-based C2 channels, compromising email accounts to issue commands and exfiltrate data via backdoors such as Karkoff, MrPerfectionManager, and PowerExchange.
The attack began with deceptive files disguised as legitimate documents, including filenames like "Avamer.pdf.exe" and "IraqiDoc.docx.rar." Once opened, these files initiated intermediate PowerShell or PyInstaller scripts that deployed the Veaty and Spearal malware. The infection pathway likely involved social engineering to trick victims into opening these files.
Spearal, a .NET backdoor, communicates with its C2 server using DNS tunneling. It encodes the data in the subdomains of DNS queries using a custom Base32 scheme. The malware is designed to execute PowerShell commands, read file contents, and send the data back to its server. Additionally, it retrieves data from the C2 server and writes it to files on the infected system.
Veaty, also written in .NET, uses compromised email accounts within the gov-iq.net domain for C2 communications. It downloads files, runs PowerShell scripts, and allows attackers to upload and download files on the targeted system.
The Check Point investigation also uncovered an additional SSH tunneling backdoor, as well as an HTTP-based backdoor, CacheHttp.dll, which specifically targets Microsoft’s Internet Information Services (IIS) servers. This backdoor examines incoming web requests and executes commands when specific conditions are met.
Check Point noted that this campaign demonstrates Iran’s sustained and deliberate efforts to disrupt and infiltrate government infrastructure in the region. The deployment of custom DNS tunneling protocols and email-based C2 mechanisms underscores the sophistication of OilRig’s cyberattacks.
