/*! elementor-pro - v3.26.0 - 17-12-2024 */ (()=>{"use strict";class Screenshot extends elementorModules.ViewModule{getDefaultSettings(){return{empty_content_headline:"Empty Content.",crop:{width:1200,height:1500},excluded_external_css_urls:["https://kit-pro.fontawesome.com"],external_images_urls:["https://i.ytimg.com"],timeout:15e3,render_timeout:5e3,timerLabel:null,timer_label:`${ElementorScreenshotConfig.post_id} - timer`,image_placeholder:"data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=",isDebug:elementorCommonConfig.isElementorDebug,isDebugSvg:!1,...ElementorScreenshotConfig}}getDefaultElements(){const e=jQuery(ElementorScreenshotConfig.selector),t=e.find(".elementor-section-wrap > .elementor-section, .elementor > .elementor-section");return{$elementor:e,$sections:t,$firstSection:t.first(),$notElementorElements:elementorCommon.elements.$body.find("> *:not(style, link)").not(e),$head:jQuery("head")}}onInit(){return super.onInit(),this.log("Screenshot init","time"),this.timeoutTimer=setTimeout(this.screenshotFailed.bind(this),this.getSettings("timeout")),this.captureScreenshot()}captureScreenshot(){return this.elements.$elementor.length||(elementorCommon.helpers.consoleWarn("Screenshots: The content of this page is empty, the module will create a fake conent just for this screenshot."),this.createFakeContent()),this.removeUnnecessaryElements(),this.handleIFrames(),this.removeFirstSectionMargin(),this.handleLinks(),this.loadExternalCss(),this.loadExternalImages(),Promise.resolve().then(this.createImage.bind(this)).then(this.createImageElement.bind(this)).then(this.cropCanvas.bind(this)).then(this.save.bind(this)).then(this.screenshotSucceed.bind(this)).catch(this.screenshotFailed.bind(this))}createFakeContent(){this.elements.$elementor=jQuery("
").css({height:this.getSettings("crop.height"),width:this.getSettings("crop.width"),display:"flex",alignItems:"center",justifyContent:"center"}),this.elements.$elementor.append(jQuery("

").css({fontSize:"85px"}).html(this.getSettings("empty_content_headline"))),document.body.prepend(this.elements.$elementor)}loadExternalCss(){const e=[this.getSettings("home_url"),...this.getSettings("excluded_external_css_urls")].map((e=>`[href^="${e}"]`)).join(", ");jQuery("link").not(e).each(((e,t)=>{const s=jQuery(t),n=s.clone();n.attr("href",this.getScreenshotProxyUrl(s.attr("href"))),this.elements.$head.append(n),s.remove()}))}loadExternalImages(){const e=this.getSettings("external_images_urls").map((e=>`img[src^="${e}"]`)).join(", ");jQuery(e).each(((e,t)=>{const s=jQuery(t);s.attr("src",this.getScreenshotProxyUrl(s.attr("src")))}))}handleIFrames(){this.elements.$elementor.find("iframe").each(((e,t)=>{const s=jQuery(t),n=jQuery("
",{css:{background:"gray",width:s.width(),height:s.height()}});s.before(n),s.remove()}))}removeUnnecessaryElements(){let e=0;this.elements.$sections.filter(((t,s)=>{let n=!1;return e>=this.getSettings("crop.height")&&(n=!0),e+=jQuery(s).outerHeight(),n})).each(((e,t)=>{t.remove()})),this.elements.$notElementorElements.remove()}handleLinks(){elementorCommon.elements.$body.find("a").attr("href","/")}removeFirstSectionMargin(){this.elements.$firstSection.css({marginTop:0})}createImage(){const e=new Promise((e=>{window.addEventListener("load",(()=>{e()}))})),t=new Promise((e=>{setTimeout((()=>{e()}),this.getSettings("render_timeout"))}));return Promise.race([e,t]).then((()=>{if(this.log("Start creating screenshot."),this.getSettings("isDebugSvg"))return domtoimage.toSvg(document.body,{imagePlaceholder:this.getSettings("image_placeholder")}).then((e=>this.download(e))),Promise.reject("Debug SVG.");return/^((?!chrome|android).)*safari/i.test(window.userAgent)?(this.log('Creating screenshot with "html2canvas"'),html2canvas(document.body).then((e=>e.toDataURL("image/png")))):(this.log('Creating screenshot with "dom-to-image"'),domtoimage.toPng(document.body,{imagePlaceholder:this.getSettings("image_placeholder")}))}))}download(e){const t=jQuery("",{href:e,download:"debugSvg.svg",html:"Download SVG"});elementorCommon.elements.$body.append(t),t.trigger("click")}createImageElement(e){const t=new Image;return t.src=e,new Promise((e=>{t.onload=()=>e(t)}))}cropCanvas(e){const t=this.getSettings("crop.width"),s=this.getSettings("crop.height"),n=document.createElement("canvas"),i=n.getContext("2d"),o=t/e.width;return n.width=t,n.height=s>e.height?e.height:s,i.drawImage(e,0,0,e.width,e.height,0,0,e.width*o,e.height*o),Promise.resolve(n)}save(e){return new Promise(((t,s)=>{elementorCommon.ajax.addRequest("screenshot_save",{data:{post_id:this.getSettings("post_id"),screenshot:e.toDataURL("image/png")},success:e=>{this.log(`Screenshot created: ${encodeURI(e)}`),t(e)},error:()=>{this.log("Failed to create screenshot."),s()}})}))}markAsFailed(){return new Promise(((e,t)=>{elementorCommon.ajax.addRequest("screenshot_failed",{data:{post_id:this.getSettings("post_id")},success:()=>{this.log("Marked as failed."),e()},error:()=>{this.log("Failed to mark this screenshot as failed."),t()}})}))}getScreenshotProxyUrl(e){return`${this.getSettings("home_url")}?screenshot_proxy&nonce=${this.getSettings("nonce")}&href=${e}`}screenshotSucceed(e){this.screenshotDone(!0,e)}screenshotFailed(e){this.log(e,null),this.markAsFailed().then((()=>this.screenshotDone(!1)))}screenshotDone(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:null;clearTimeout(this.timeoutTimer),this.timeoutTimer=null,window.parent.postMessage({name:"capture-screenshot-done",success:e,id:this.getSettings("post_id"),imageUrl:t},"*"),this.log(`Screenshot ${e?"Succeed":"Failed"}.`,"timeEnd")}log(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:"timeLog";this.getSettings("isDebug")&&(console.log("string"==typeof e?`${this.getSettings("post_id")} - ${e}`:e),t&&console[t](this.getSettings("timer_label")))}}jQuery((()=>{new Screenshot}))})(); Iranian Hackers Attacks Targeting Israeli Organizations
Iranian Hackers Attacks

Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations

by

Specialists in cyber security identified a serious new threat in the sphere of hacker attacks carried out by Iran. These attacks employ WezRat malware: it is a remote access trojan as well as an information stealer. This advanced tool launched by Iranian state-sponsored hackers to perpetrate the network, steal confidential information, and perform destructive operations. First identified through artifacts uploaded to VirusTotal, WezRat malware has been active since at least September 1, 2023. Their appearance can considered proof of the increased complexity of Iranian Hackers Attacks. They operate outside the visually seen defenses and this makes the hackers conduct huge unannounced raids. Such activity poses a grave threat to targeted organizations and their critical infrastructure.

Capabilities and Design of WezRat

WezRat malware exhibits highly advanced capabilities, making it a powerful tool in Iranian hacker attacks. It provides the attacker full functionality of commands, screenshot capture, file uploading, keystroke logging, clipboard content stealing, and cookies stealing. These two features give the attackers real-time command and control,тер data theft permissions of the compromised systems thus escalating the effects of the attacks.

As highlighted by cybersecurity firm Check Point, some functions of WezRat malware depend on separate modules retrieved from a command-and-control (C&C) server. These modules, delivered as DLL files, reduce the visibility of the malware’s main component, enhancing its stealth and effectiveness.

The inclusion of modular functionality ensures WezRat remains undetected for longer periods during Iranian Hackers Attacks, enabling persistent access to compromised networks. Such sophisticated tactics underscore the advanced strategies employed by Iranian state-sponsored groups to achieve their malicious objectives.

Attribution to Cotton Sandstorm

The development of WezRat malware linked to Cotton Sandstorm, a prominent hacking group notorious for conducting numerous Iranian hacker attacks. Previously known as Emennet Pasargad and more recently as Aria Sepehr Ayandehsazan (ASA), this group has a documented history of engaging in high-profile cyberattacks.

Reports from U.S. and Israeli cybersecurity agencies, published in late September 2023, detailed the capabilities and usage of WezRat malware. These reports confirmed that the malware serves as a powerful tool for gathering endpoint data and executing remote commands, further solidifying its association with Iranian hacker attacks.

Cotton Sandstorm’s operations reflect a highly coordinated strategy aimed at disrupting systems, gathering intelligence, and maintaining long-term access to critical networks. By leveraging tools like WezRat malware, the group continues to pose significant challenges to global cybersecurity frameworks.

Deployment Strategy and Phishing Campaigns

WezRat malware widely distributed through targeted phishing campaigns, a hallmark of Iranian hacker attacks. These campaigns rely on deception to trick victims into downloading malware-laced files, compromising their systems.

One particularly effective method involves the distribution of trojanized Google Chrome installers, deceptively named “Google Chrome Installer.msi.” While these installers deliver the legitimate Chrome browser, they also include a malicious binary called “Updater.exe” (internally referred to as “bd.exe”). Once active, the malware collects system information and establishes contact with its command-and-control server at “connect. il-cert[.]net,” awaiting further instructions to carry out malicious actions.

Phishing emails impersonating the Israeli National Cyber Directorate (INCD) have been a primary vector for spreading WezRat malware. These emails, sent on October 21, 2024, originated and urged recipients to install an urgent Chrome security update. This carefully crafted strategy exemplifies the high level of planning involved in Iranian Hackers Attacks, ensuring their campaigns reach specific, high-value targets.

The malware’s execution requires specific parameters, including the C&C server address and a numeric “password,” to function correctly. If incorrect parameters are supplied, the malware may crash or perform unintended actions, complicating analysis and detection efforts.

Implications of Iranian Hackers Attacks

The discovery of WezRat malware highlights the escalating threat posed by Iranian hacker attacks. These State-sponsored campaigns target the critical infrastructures, sensitive data, and the premium intellectual property assets of an organization making the organization open to severe penetrations and operational intermissions.

The fact that WezRat malware used in Iranian hacker attacks operates unnoticed, can steal information, and remains controlling the infected nodes after that proves that the authors of these attacks used rather complex tactics.

Iranian hacker attacks WezRat malware

It is imperative for organizations to appreciate the great risks which are associated with these threats and to work hard to come up with some ways of minimizing the effects arising from the probable losses.

These attacks also have consequences for nations, corporations, and the fundamental applicability of the internet. Iranian hacker attacks pose a continuing and complex threat that needs a collective and preventive approach from all the world’s leaders in Cyberspace security.

Strengthening Cybersecurity Measures

To minimize the effects that the Iranian hackers would continue to cause to various organizations, the organizations have to incorporate the following measures. This entails using new-generation threat scanning programs, vulnerability assessment, and em-entry filtering to check on possible phishing attempts.

Another is the recognition and reporting needs among the employees to accommodate the training of learning scantling and other suspicious activities. By frequently sending out test phishing emails and conducting introductory sessions, the effects of attack from Iran’s hackers can be greatly minimized eliminating instances of hacking.

Organizations should also have a proper software download policy that will see them only download applications from verified sources. Applying timely updates and patches is essential to close known vulnerabilities, particularly those exploited by malware like WezRat.

Collaboration between international cybersecurity agencies and private organizations is vital. Sharing intelligence on Iranian hacker attacks and their methodologies can lead to more effective responses and improved resilience against future threats.

Conclusion

The emergence of WezRat malware underscores the escalating sophistication of Iranian hacker attacks. Through the use of sophisticated technologies and the utilization of trickery, state-sponsored actors like Cotton Sandstorm remain overseas as an adversary for worldwide protection systems and as a problem for organizations.

There is no room for complacency and organisations have to be equally and continually proactive in addressing these enduring threats. Purchasing more sophisticated attack detection and prevention systems, improving socially secure computing education, and integrating multination coordination measures are some steps toward eliminating the threats represented by such highly technical invasions.

Such discovery of WezRat malware should remind us every day brings new and innovative threats from cyber criminals. Today’s dangerous world demands an effective and flexible IT security solution to protect data and prevent Iranian hackers from blocking large businesses and affecting trust in digital environments.

FAQs

What is WezRat malware?

WezRat is a remote access trojan used in Iranian Hacker Attacks targeting sensitive systems.

How does WezRat spread?

It spreads through phishing emails and trojanized Google Chrome installers downloaded by victims.

Who is responsible for these attacks?

The attacks are attributed to Cotton Sandstorm, a group behind Iranian Hackers Attacks.

What are the risks associated with WezRat malware?

WezRat enables data theft, operational disruption, and prolonged unauthorized control of systems.

How can organizations defend against these threats?

Using email filters, conducting training, and applying timely patches can prevent Iranian hacker attacks.

Leave a Comment