A new information about WezRat has been uncovered recently by security researchers.
WezRat is a sophisticated malware family which is associated with the Iranian cyber group “Emennet Pasargad.”
This group, which has operated under various aliases including Aria Sepehr Ayandehsazan (ASA), is linked to the Iranian Islamic Revolutionary Guard Corps (IRGC).
The FBI, US Department of Treasury, and Israeli National Cybersecurity Directorate (INCD) jointly released a Cybersecurity Advisory on October 30th.
.webp)
Cybersecurity analysts at Check Point observed that the cybersecurity advisory highlights the Emennet Pasargad’s recent operations:-
- Mid-2023: Hacked a Swedish SMS service to distribute messages related to Quran burnings
- December 2023: Compromised a US-based IPTV streaming company to broadcast messages about the Israel-HAMAS conflict
- Mid-2024: Launched a cyber-enabled disinformation campaign during the Summer Olympics, targeting Israeli athletes
Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)
WezRat Analysis
Check Point Research has identified the latest version of WezRat being distributed through a large-scale phishing campaign impersonating the INCD and targeting Israeli organizations.
.webp)
Key features of WezRat include:
- Written in C++
- Uses OLLVM obfuscation techniques
- Collects system information including IP, computer name, and username
- Communicates with command and control (C2) servers using encrypted commands
- Supports various commands including file upload, screenshot capture, and keylogging
WezRat has undergone significant development since its earliest known version in August 2023. The malware’s capabilities have expanded to include:
- Persistence mechanisms
- Screenshot functionality
- Keylogging
- Clipboard data exfiltration
- Browser cookie theft
The researchers gained insight into WezRat’s backend infrastructure, revealing:
- Initially written in JavaScript for Node.js with MySQL database
- Later migrated to Kestrel around March 2024
- Possible separation between development and operations teams
WezRat represents a significant threat in the cyber espionage landscape. Its ongoing development and refinement demonstrate Emennet Pasargad’s commitment to maintaining a versatile and evasive tool for cyber operations.
The group’s activities pose a risk not only to direct political adversaries but also to any entities that may influence Iran’s international or domestic narrative.
As WezRat continues to evolve, cybersecurity professionals and organizations must remain vigilant and adapt their defenses to counter this sophisticated malware threat.
Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.