Iranian state-sponsored hackers have launched a sophisticated cyber espionage campaign targeting Israeli organisations using an advanced malware tool called WezRat.
This remote access trojan (RAT) and information stealer has been attributed to the group Cotton Sandstorm, also known by the aliases Emennet Pasargad and Aria Sepehr Ayandehsazan (ASA). The campaign poses a significant threat not only to Israel but also to organisations in the United States, Europe, and the Middle East.
WezRat was first identified in September 2023 after malware samples were uploaded to the VirusTotal platform. Initially, the tool functioned as a basic RAT but has since undergone significant advancements to become a highly versatile espionage tool. Its capabilities include executing remote commands, capturing screenshots, logging keystrokes, stealing clipboard data, and exfiltrating browser cookies. Additionally, it can upload and download files from compromised systems, making it a formidable tool for cyber espionage.
The malware uses a modular design, relying on dynamic link libraries (DLLs) downloaded from a command-and-control (C&C) server to expand its functionality. This approach reduces the likelihood of detection, as the main component appears less suspicious. The malware communicates with its primary C&C server, “connect.il-cert[.]net,” using port 8765 and requires a specific password parameter for execution. Incorrect parameters can cause the malware to malfunction, further enhancing its stealth.
The distribution of WezRat demonstrates the hackers’ deceptive tactics.
The malware is spread via phishing emails designed to impersonate the Israeli National Cyber Directorate (INCD). On October 21, 2024, emails from “alert@il-cert[.]net” urged recipients to install a fake Google Chrome security update. Victims who complied unknowingly downloaded a compromised installer, which deployed the legitimate browser alongside a malicious executable named “Updater.exe.” This secondary file was responsible for gathering system information and establishing contact with the C&C server for further commands.
Over time, WezRat has evolved significantly. Earlier versions were limited to basic functionalities and relied on hardcoded server addresses. Newer versions integrate advanced features such as screen capture and keystroke logging as separate commands, reflecting the continuous refinement of the malware. Research analysis indicates that at least two development teams are involved in WezRat’s ongoing enhancements, stressing the scale of the investment in this tool.
This campaign highlights the growing sophistication of state-backed cyber threats. While Israeli organisations are the primary target, the malware’s potential impact extends to geopolitical adversaries and entities influencing Iran’s domestic or international narratives. Security experts urge organisations worldwide to remain vigilant as such threats become increasingly advanced and tailored to their targets.