Implications of the crisis in Iraq in the cyberspace

Security Experts at Intelligence firm InterCrawler have analyzed the effect of the crisis in Iraq on the malicious activities in the cyberspace.

Cyber threat intelligence firm IntelCrawler has published an interesting post on the repercussion of Iraq Civil disorder on the cyberspace, the company has analyzed the activities within the Iraqi ISP industry discovering worrying signals. According to researchers from InterCrawler the malicious activities have increased in a significant way in the last weeks, one of the principal effects is the presence of numerous botnets using dynamic DNS, the experts attribute it to ongoing cyber espionage campaigns on systems in the area.  The attackers have used the dynamic DNS services (e.g. “no-ip.biz” and “zapto.org” ) to allow the malware dropped on the victims to reach the Command & Control servers also in the case their IP addresses will change.

“The increased activity correlates with other geopolitical conflicts where state-sponsored activities in cyberspace try to affect outcomes on the ground. Most of the identified malicious domain names used for C&C communications were registered using free public DNS providers. The resolved IP addresses were related to subnets of various regional ISPs in Iraq, such as GORANNET, IQ-EARTHLINK, IQNETWORKS, IQ-NEWROZ and IQ-TARINNET.” states the blog post.

Malicious traffic was mainly concentrated in four Iraqi cities, Baghdad Erbil, Basra and Mosul, meanwhile GORANNET was the ISP involved in the majority of malicious activities.

The experts noted a large used of njRAT, a malware also spread during the conflict in Syria to target members of the opposition groups. Other malware observed specifically targeted the Arabic speaking community, also in these cased the attackers used dynamic DNS services to make C&C reachable to the spyware.

“Secure Sockets (SOCKS) and FTP/HTTP BackConnect with embedded file system browser for infected victims remote monitoring masked under Google Chrome and publicly available software.”  states the post.

Of course the attackers used social engineering techniques to lure victims into visit infected URL or open malicious files, researchers at InterlCrawler isolated many malware samples with strings such as “النصر لنا”, “النصر لنا هجوم” and others, that refers political motivations of targeted cyber attacks.

The malware include most common data-stealer features like screen grabbing, keylogger and the ability to download and execute further malicious code on the infected systems.

In the following table are reported the Command and Control servers hosted on the ISPs in Iraq.

FQDN IP
http://njrat7777.no-ip.biz/ 91.235.168.183
http://sajad999.no-ip.biz/ 37.238.161.119
http://rexhacker.no-ip.org/ 37.236.204.157
http://hackerrr0000.no-ip.biz/ 91.235.168.149
http://alihussain.no-ip.biz:9988 37.239.248.37
http://hpyassin.no-ip.biz:81 37.17.129.46
http://chrome-update.sytes.net 37.238.176.71
http://safanaali1.no-ip.biz 37.238.29.27
http://a7zaan.no-ip.biz 37.236.76.68
http://younisdeaaa.zapto.org/ 62.201.203.109
http://gaseem.zapto.org/ 37.239.64.193
http://hackid12.no-ip.biz/ 37.237.136.208

The number of illegal activities is not limited to malicious traffic from/to ISPs in the country, the investigation made by InterlCrawler also revealed a significant number of SOHO-routers compromised having IP addresses assigned to Iraq. The attackers compromised the routers with a large-scale exploitation of vulnerabilities in UPnP and bruteforcing the administration consoles of the network devices.

The experts suspect that a so large number of SOHO devices compromised in the same area could be caused by a surveillance network for Internet traffic control in the region.

Who is behind the attacks and which are the motivation?

The number of groups located in Iraq and involved in illegal activities is sensibly increased, the political and religious motivation are the primary reasons for the participation to the cyber operations.

“Most appear united with Egypt, Lybian, Lebanese, Iranian, Syrian and various distributed Islamic groups performing targeted attacks because of religious and political motivation supported by state parties.” states Intercrawler.

The experts noted the participation of groups of cyber mercenaries that operated from many other counties in the ISIS area.

For further information stay tuned.

Pierluigi Paganini

(Security Affairs –  Iraq,  malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

7 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

14 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.