Security researchers at Check Point have identified a sophisticated new malware called WezRat, attributed to the Iranian hacking group Cotton Sandstorm (also known as Emennet Pasargad or Aria Sepehr Ayandehsazan).
Key Features of WezRat:
– Remote command execution
– Screenshot capture
– File upload/download capabilities
– Keylogging
– Clipboard and cookie theft
– Modular design using separate DLL files
Distribution Method:
The malware is primarily distributed through phishing emails, disguised as Google Chrome security updates. In October 2024, Israeli organizations were targeted through emails impersonating the Israeli National Cyber Directorate.
Technical Details:
– Uses trojanized Google Chrome installers
– Deploys “Updater.exe” alongside legitimate Chrome installation
– Communicates with command-and-control servers
– Requires specific password parameters for execution
– Features evolving capabilities since its September 2023 detection
Security Impact:
WezRat poses a significant cyber espionage threat to organizations across:
– United States
– Europe
– Middle East
The malware’s ongoing development and sophisticated features indicate a well-resourced operation with at least two separate teams handling development and operations, demonstrating Iran’s continued investment in cyber warfare capabilities.