Dust Specter: Deep Dive into SPLITDROP & GHOSTFORM targeting Iraqi Gov
Just caught the ThreatLabz report on Dust Specter—an Iran-nexus cluster actively targeting Iraqi officials by spoofing the Ministry of Foreign Affairs. The most interesting part is the introduction of two new malware families: SPLITDROP (likely the dropper/installer) and GHOSTFORM (the payload).
Given the regional targeting and the diplomatic spoofing, the TTPs suggest a high degree of spear-phishing. Since these are "never-before-seen" variants, signature-based detection is going to lag. We need to focus on the delivery chain.
I've put together a quick KQL query to hunt for similar Office macro execution patterns that lead to suspicious child processes, which is standard for this type of initial access:
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpnt.exe")
| where FileName in~ ("powershell.exe", "cmd.exe", "mshta.exe", "wscript.exe")
| where ProcessCommandLine contains "split" or ProcessCommandLine contains "drop"
| project DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, Timestamp
Has anyone else started seeing similar lures in their telemetry? How are you handling detection for zero-day droppers in government sectors without generating massive alert fatigue?
Solid query, but I'd recommend broadening the hunt to exclude the specific string matches for 'split' or 'drop' in the CLI initially. Threat actors often obfuscate those strings in Base64 or environment variables. Instead, look for Office apps spawning powershell with -EncodedCommand and flag those for automated sandbox detonation. That usually catches the unknowns like this GHOSTFORM variant faster than static keywords.
The geopolitical context here is key. Iran-nexus groups have been shifting towards more modular frameworks recently to evade AV. If SPLITDROP is anything like the droppers we saw in the TA456 campaigns last year, it probably uses DLL side-loading or uses a signed binary to proxy the execution. I'd suggest checking for suspicious Rundll32 or Regsvr32 activity originating from the Outlook temp folder as a secondary detection method.
From a pentester's perspective, the spoofing of the Ministry of Foreign Affairs is a classic but effective pretext. The user trust factor in government entities is high. We recently tested a similar vector (phishing with 'official' doc templates) and saw a 40% click-through rate even with basic awareness training. It’s not just about the malware; the human layer is the biggest vulnerability here.
Excellent breakdown. Since signature-based detection is lagging, behavioral hunting is your best bet here. I recommend monitoring for suspicious parent-child relationships, specifically Office products spawning shells.
You can use this KQL query to flag potential execution chains associated with these droppers:
DeviceProcessEvents
| where InitiatingProcessFileName in~ ('winword.exe', 'excel.exe')
| where FileName in~ ('powershell.exe', 'cmd.exe', 'wscript.exe')
| project DeviceName, InitiatingProcessCommandLine, ProcessCommandLine
Valid point on behavioral hunting. If SPLITDROP follows typical patterns, the handoff to GHOSTFORM likely involves obfuscated PowerShell. You should also look for unusually long encoded command strings, which often signal payload staging.
DeviceProcessEvents
| where ProcessCommandLine contains "powershell" and ProcessCommandLine contains "-enc"
| where strlen(ProcessCommandLine) > 5000
This helps flag mass-encoded blobs before they hit disk.
Building on the behavioral analysis, if the dropper uses a fileless approach, you’ll want to hunt for powershell.exe spawning directly from Office apps with specific obfuscation flags. Here is a quick KQL query to catch the handoff:
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe")
| where FileName == "powershell.exe"
| where CommandLine contains "-enc" and strlen(CommandLine) > 300
This targets the specific obfuscation mentioned without relying on static signatures.
Don't overlook the persistence vector. With these actors, we often see them leveraging Registry Run keys established immediately after the SPLITDROP execution. I'd suggest adding this Sigma query to your hunt to catch the installation phase before GHOSTFORM activates:
selection:
TargetObject|contains: 'Software\\Microsoft\\Windows\\CurrentVersion\\Run'
Image|endswith:
- 'powershell.exe'
- 'wscript.exe'
condition: selection
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access