Threats Feed|Emennet Pasargad|Last Updated 24/01/2025|AuthorCertfa Radar|Publish Date14/11/2024

Fake Chrome Updates and Modular Malware: The WezRat Threat

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Backdoor,Spear Phishing
  • Attack Complexity: High
  • Threat Risk: Low Impact/High Probability

Threat Overview

The WezRat malware, attributed to the Iranian group Emennet Pasargad, has targeted organizations in Israel, the US, France, and Sweden across sectors such as telecommunications, streaming services, and athletics. Delivered via phishing campaigns impersonating the Israeli National Cyber Directorate, WezRat employs modular functionality for data theft, command execution, and surveillance. The group also leveraged disinformation campaigns, hacking SMS services, IPTV systems, and display providers to broadcast propaganda. Recent campaigns include a fake Chrome update targeting Israeli entities. The malware employs obfuscation, persistence mechanisms, and C&C communication to evade detection and maintain control.

Reference and Credit: Check Point - November 2024

Malware Spotlight: A Deep-Dive Analysis of WezRat

Detected Targets

TypeDescriptionConfidence
RegionFrance
Verified
RegionIsrael
Verified
RegionSweden
Verified
RegionUnited States
Verified

Extracted IOCs

  • il-cert[.]net
  • onlinelive[.]info
  • connect.il-cert[.]net
  • 26f66196c463e6ec1f224d9f87c1f75d868c94bba5c8502b6cbe806e06614377
  • 2cf3cd8b7df4e87ac17812511510a48be4a9546fed513b9204c7173364db7ae3
  • 4431b2a4d7758907f81fb1a0c1e36b2ce03e08d43123b1c398487770afd20727
  • 48a97f6aee23543909fc1b7341dff8aa0f1caba229d61d3b0de4e03df02b1ac0
  • 53055662aeca79a319c8c59194f25bae1b33eab1a39cf18e8daa3602fbca900e
  • 5c03ac7128fb6e8ad923897e3696e08c943f4c819e5c1bdbe3df2b5774692d3d
  • 5e33c4a38c05f52918ffd4e49fd2d1b1a771010466ceb19eaf378daa02f71700
  • 629dc03888412ae39d50cc17d5cbe579f2a99be03e6af2f071e68b7226f891d0
  • 66b08e55d11f49493118e8a6cab1bb5f1953b2a4784a38c64cf7ed02bf781713
  • 84366a894120d4a8c83411925ef04de52fa56da6fad0023a71f71a9bf21259ad
  • 898595a6646b94f9735442ae65deb5f5364eddf2a7008f66e9d7ee8b6c08c285
  • b96fad26fba197302fd11e1771e996387b7b23c2560e08f20c69069e173c7fa7
  • cf12b2043a05729839a29ff4bd23b4088888da1153ca81040a6c048417254a36
  • e1a5696dcae33657fd0aa2d1e7a36b84c4647975dab3063ac2f42c19dae0a5a1
  • e37b95bb9bee64cc0313eaad8a0269493745f89413bd78b58bb3b479b36084ae
  • 194[.]11.226.9
  • 194[.]4.49.175
  • 45[.]120.177.8
  • 45[.]143.167.87
  • 46[.]249.58.136
download

Tip: 23 related IOCs (5 IP, 3 domain, 0 URL, 0 email, 15 file hash) to this threat have been found.

Overlaps

Emennet PasargadEmennet Pasargad Expands Tactics in Targeting Israel and Allied Nations

Source: FBI - October 2024

Detection (four cases): 45[.]143.167.87, 4431b2a4d7758907f81fb1a0c1e36b2ce03e08d43123b1c398487770afd20727, il-cert[.]net, onlinelive[.]info

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
Emennet Pasargad
View Emennet Pasargad's Insights