Implications of the crisis in Iraq in the cyberspace

Pierluigi Paganini July 04, 2014

Security Experts at Intelligence firm InterCrawler have analyzed the effect of the crisis in Iraq on the malicious activities in the cyberspace.

Cyber threat intelligence firm IntelCrawler has published an interesting post on the repercussion of Iraq Civil disorder on the cyberspace, the company has analyzed the activities within the Iraqi ISP industry discovering worrying signals. According to researchers from InterCrawler the malicious activities have increased in a significant way in the last weeks, one of the principal effects is the presence of numerous botnets using dynamic DNS, the experts attribute it to ongoing cyber espionage campaigns on systems in the area.  The attackers have used the dynamic DNS services (e.g. “no-ip.biz” and “zapto.org” ) to allow the malware dropped on the victims to reach the Command & Control servers also in the case their IP addresses will change.

“The increased activity correlates with other geopolitical conflicts where state-sponsored activities in cyberspace try to affect outcomes on the ground. Most of the identified malicious domain names used for C&C communications were registered using free public DNS providers. The resolved IP addresses were related to subnets of various regional ISPs in Iraq, such as GORANNET, IQ-EARTHLINK, IQNETWORKS, IQ-NEWROZ and IQ-TARINNET.” states the blog post.

Malicious traffic was mainly concentrated in four Iraqi cities, Baghdad Erbil, Basra and Mosul, meanwhile GORANNET was the ISP involved in the majority of malicious activities.

Iraq cities malicious traffic

Iraq cities malicious traffic 2

The experts noted a large used of njRAT, a malware also spread during the conflict in Syria to target members of the opposition groups. Other malware observed specifically targeted the Arabic speaking community, also in these cased the attackers used dynamic DNS services to make C&C reachable to the spyware.

“Secure Sockets (SOCKS) and FTP/HTTP BackConnect with embedded file system browser for infected victims remote monitoring masked under Google Chrome and publicly available software.”  states the post.

Of course the attackers used social engineering techniques to lure victims into visit infected URL or open malicious files, researchers at InterlCrawler isolated many malware samples with strings such as “النصر لنا”, “النصر لنا هجوم” and others, that refers political motivations of targeted cyber attacks.

The malware include most common data-stealer features like screen grabbing, keylogger and the ability to download and execute further malicious code on the infected systems.

In the following table are reported the Command and Control servers hosted on the ISPs in Iraq.

FQDN IP
http://njrat7777.no-ip.biz/ 91.235.168.183
http://sajad999.no-ip.biz/ 37.238.161.119
http://rexhacker.no-ip.org/ 37.236.204.157
http://hackerrr0000.no-ip.biz/ 91.235.168.149
http://alihussain.no-ip.biz:9988 37.239.248.37
http://hpyassin.no-ip.biz:81 37.17.129.46
http://chrome-update.sytes.net 37.238.176.71
http://safanaali1.no-ip.biz 37.238.29.27
http://a7zaan.no-ip.biz 37.236.76.68
http://younisdeaaa.zapto.org/ 62.201.203.109
http://gaseem.zapto.org/ 37.239.64.193
http://hackid12.no-ip.biz/ 37.237.136.208

The number of illegal activities is not limited to malicious traffic from/to ISPs in the country, the investigation made by InterlCrawler also revealed a significant number of SOHO-routers compromised having IP addresses assigned to Iraq. The attackers compromised the routers with a large-scale exploitation of vulnerabilities in UPnP and bruteforcing the administration consoles of the network devices.

The experts suspect that a so large number of SOHO devices compromised in the same area could be caused by a surveillance network for Internet traffic control in the region.

Who is behind the attacks and which are the motivation?

The number of groups located in Iraq and involved in illegal activities is sensibly increased, the political and religious motivation are the primary reasons for the participation to the cyber operations.

“Most appear united with Egypt, Lybian, Lebanese, Iranian, Syrian and various distributed Islamic groups performing targeted attacks because of religious and political motivation supported by state parties.” states Intercrawler.

The experts noted the participation of groups of cyber mercenaries that operated from many other counties in the ISIS area.

For further information stay tuned.

Pierluigi Paganini

(Security Affairs –  Iraq,  malware)



you might also like

leave a comment