Cybersecurity researchers have uncovered a new remote access trojan known as WezRat, deployed by Iranian state-sponsored groups to carry out reconnaissance on compromised systems and execute malicious commands. This malware has been identified in the wild since at least September 1, 2023, according to Check Point, a cybersecurity firm that has been closely monitoring its activity.

WezRat is capable of executing various functions, including taking screenshots, uploading files, keylogging, and stealing clipboard data and cookies. Its architecture relies on separate modules that are retrieved from a command and control (C&C) server, helping evade detection by making the primary component appear less suspicious.

The malware is associated with the hacking group popularly referred to as Cotton Sandstorm, which also operates under the aliases Emennet Pasargad and Aria Sepehr Ayandehsazan (ASA). U.S. and Israeli cybersecurity agencies first documented WezRat as a tool for gathering endpoint information and executing remote commands.

Details of the attack chains reveal that the hackers often use trojanized installers for Google Chrome, which also execute a second binary designed to gather system information and connect to a C&C server to receive further instructions. Recently, WezRat has been distributed through phishing emails that masquerade as communications from the Israeli National Cyber Directorate.

Check Point has noted that these phishing emails, sent on October 21, 2024, originated from a seemingly legitimate domain and urged recipients to urgently install a security update for Chrome.

The malware is executed with two parameters that specify the C&C server and a password to enable proper function. Incorrect parameters could lead to malfunction or system crashes. Earlier iterations of WezRat had hard-coded server addresses and lacked the password requirement, limiting their functionality to simple remote access without advanced features.

Moreover, indications suggest that multiple teams may be involved in the continued development and operation of WezRat. This diversification highlights an ongoing commitment to maintaining a versatile tool for cyber espionage.

The activities of Emennet Pasargad are not limited to regional targets; they pose a broader threat to entities across the United States, Europe, and the Middle East, affecting any organization or individual that could influence Iran’s narrative on the global stage.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.