Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Spearal (Backdoor) – Malware

February 26, 2025
Reading Time: 3 mins read
in Malware
Spearal (Backdoor) – Malware

Spearal

Type of Malware

Backdoor

Country of Origin

Iran

Targeted Countries

Iraq

Date of Initial Activity

2024

Associated Groups

APT34

Motivation

Cyberwarfare

Attack Vectors

Phishing

Targeted Systems

Windows

Overview

Spearal is a highly sophisticated backdoor malware that leverages DNS tunneling for covert communication with its Command and Control (C2) server. Written in .NET, Spearal is designed to operate stealthily within a victim’s network, making it particularly challenging for traditional security measures to detect. Unlike more conventional malware that communicates over HTTP or HTTPS protocols, Spearal utilizes DNS queries to transfer data, exploiting a protocol typically overlooked by many network monitoring systems. This use of DNS tunneling allows Spearal to bypass firewalls and intrusion detection systems, ensuring its persistence within an infected environment. Once deployed, Spearal establishes a persistent connection to the C2 server, enabling the attacker to remotely control the infected system. The malware’s configuration file contains key information such as the server address and other parameters that dictate its behavior. Spearal sends data encoded in base32 format through DNS queries, which are directed to a predefined domain, or if none is specified, defaults to iqwebservice[.]com. This approach not only conceals the malware’s communication but also provides an additional layer of security by encoding transmitted information, making it harder for security professionals to identify the data as malicious.

Targets

Public Administration Information

How they operate

At its core, Spearal relies on a DNS-based communication method, where it sends base32-encoded data within the subdomains of DNS queries. The malware retrieves the C2 server address from its configuration file, under the “srvip” field, or defaults to the domain iqwebservice[.]com. This domain serves as the endpoint for all communications between the infected system and the attacker. The malware uses a series of DNS TXT records, which are designed to carry arbitrary data. These TXT records are not only used for sending commands to the C2 server but also for receiving responses, making this a two-way communication channel that can be used for a variety of malicious actions. The operation of Spearal begins with an initial authentication step. When the malware first connects to the C2 server, it sends a base32-encoded DNS query containing the string “auth:;” followed by the username. The server responds with a target_comm_id, which serves as a unique identifier for the infected machine and will be used in all subsequent communications. This mechanism allows the attacker to track and control multiple infected machines individually. The malware continues to use this target_comm_id in future queries to request specific commands and send results back to the C2 server. Once the authentication is complete, Spearal enters its command-requesting phase. The malware sends a DNS query with the string “cmd:;” followed by the target_comm_id. In response, the C2 server provides one of several commands that dictate the actions the malware will perform. These commands include executing PowerShell scripts on the infected machine, downloading files and sending them to the C2 server, or uploading content from the C2 to the infected machine. The malware’s use of DNS queries for all communications ensures that these actions are discreet and difficult to detect by conventional monitoring systems. When the malware executes a command, the results are sent back to the C2 server in small, segmented chunks to avoid detection. The first message contains a “crs:;” query, which indicates the start of a command result transfer, followed by the command ID and the number of chunks needed to transfer the data. Each chunk is transmitted via a “crb:;” query, which includes the command ID, chunk index, and the chunk data itself. The C2 server responds with either an acknowledgment message (“rok:;”) or the final “end” response when the data transfer is complete. This process ensures that large amounts of data can be sent without triggering alerts from intrusion detection systems that monitor for large, unusual transfers. Spearal’s use of DNS tunneling, combined with its ability to encode and segment communication, allows it to fly under the radar of many network defenses. This method not only evades conventional security tools but also provides the attacker with a reliable, persistent communication channel that can be maintained for long periods. The malware’s design demonstrates the growing sophistication of cyber threats, as it exploits trusted protocols and encoding techniques to carry out a variety of malicious operations while avoiding detection. Understanding the technical workings of Spearal is essential for developing detection mechanisms and defensive strategies to counteract such advanced threats.  
References
  • Targeted Iranian Attacks Against Iraqi Government Infrastructure
Tags: APT34BackdoorsHTTPIIranIraqMalwareSpearal
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial