‘Evil eye’ protection amulets– the better known ‘hamsa’ (left) or ‘nazar’ (right)

It’s hard to understand the scope of this operation without access to victimology (e.g.: endpoint visibility or command-and-control sinkholing). Additionally, some possible timestomping muddies the water between this operation possible originating in 2008-2009 or actually coming into full force in 2010-2013 (the latter dates being corroborated by VT firstseen submission times and second-stage drop timestamps). There’s a level of variable developmental capability visible throughout the stages. Multiple components are abused commonly-available resources, while the orchestrator and two of the DLL drops actually display some developmental ingenuity (in the form of seemingly novel COM techniques). Far from the most advanced coding practices but definitely better than the sort of .NET garbage other ‘Farsi-speaking’ APTs have gotten away with in the past.

Somehow, this operation found its way onto the NSA’s radar pre-2013. As far as I can tell, it’s eluded specific coverage from the security industry. A possible scenario to account for the disparate visibility between the NSA and Western researchers when it comes to this cluster of activity is that these samples were exclusively encountered on Iranian boxes overlapping with EQGRP implants. Submissions of Nazar subcomponents from Iran (as well as privately shared visibility into historical and ongoing victimology clustered entirely on Iranian machines) could support that theory. Perhaps this is an internal monitoring framework (a la Attor) but given the sparse availability of historical data, I wouldn’t push that beyond a low-confidence assessment, at this time.

I hope interested researchers take this as an initial introduction and open challenge to contribute to what may prove a previously unknown threat actor, and encourage them to leverage their greater abilities and visibility to contribute to the ongoing research. I’ll gladly update this post with the contributions and publications of others.

Technical Breakdown

Nazar employs a modular toolkit where a main dropper silently registers multiple DLLs as OLE controls in the Windows registry via ‘regsvr32.exe’. An orchestrator (‘Data.bin’), disguised as the generic Windows service host process (‘svchost.exe’), is registered as a service (‘EYService’) for persistence. The DLLs are a combination of custom type libraries and resourceful repurposing of more widely available libraries for nefarious purposes.