A new cyberspying campaign has been detected in the Middle East which is going after victims in Palestinian territories.
An investigation into the attacks, conducted by the Cybereason Nocturnus team and made public on Thursday, suggests that one of the Gaza Cybergang groups -- also known as MoleRATs -- is potentially responsible.
Tracked by Kaspersky as three separate factions -- MoleRATs, a group linked to Desert Falcons, and Operation Parliament -- MoleRATs is an Arabic-speaking, politically motivated collective that has been in operation since 2012.
Kaspersky says that the MoleRATs group is the least sophisticated of the three, and while the trio uses different styles of attack, all use common tools and commands after initial infections.
Cybereason says that over the past few months, MoleRATs has been attempting to infiltrate the systems of both organizations and individuals. However, two separate campaigns appear to be happening simultaneously.
The first, dubbed Spark, uses social engineering as the preliminary attack vector. Phishing emails attempt to lure victims by drawing upon politically sensitive content, such as the Israeli-Palestinian conflict, tensions between Hamas and the Egyptian government, and the assassination of Qasem Soleimani.
If victims open the emails and attached malicious files, these decoy documents, including Microsoft Office, .PDF, and archive files, all attempt to lure victims to download an additional archive file from Egnyte or Dropbox. When opened, another file -- masquerading as a Microsoft Word document -- contains an executable which is the Spark backdoor dropper.
Decoy document names include "Meeting between Abu-Mazen and Kushner," "Haniyeh will remain abroad and Hamas steps up in Gaza.pdf," and "Details%20Ceasfire%20with%Israel.zip."
The Spark backdoor, likely to be custom software designed by the threat actors, is able to collect system information on an infected machine; encrypt this information and send it to a command-and-control (C2) server; download additional malicious payloads, and execute commands.
The malware will wrap up payloads using Enigma in an attempt to avoid detection and will scan for antivirus products using WMI. Spark will also verify that its victim is Arabic based on keyboard and language settings.
Pierogi is the second campaign of note, which also uses social engineering but employs a different range of decoy malicious documents -- and a brand new backdoor.
In the majority of cases, the cybersecurity researchers say weaponized Microsoft Word documents are employed, also leading to further malicious file downloads by way of macros. Names include "Report on major developments_347678363764.exe," "Employee-entitlements-2020.doc," and "Hamas_32th_Anniversary__32_1412_847403867_rar.exe."
A backdoor is then dropped. Dubbed Pierogi after an Eastern European dish, the software, written in Delphi, is rather basic and appears to have been created by Ukranian-speaking hackers, as indicated by Ukranian language hints in the code.
Despite its simplicity, the malware is still able to collect and steal system data, download additional payloads, take screenshots, and execute commands via CMD.
Cybereason suspects that the purpose of both campaigns is to "obtain sensitive information from the victims and leverage it for political purposes."
However, the cybersecurity researchers caution over strict attribution.
"It is important to remember there are many threat actors operating in the Middle East, and often there are overlaps in TTPs, tools, motivation, and victimology," the team says. "There have been cases in the past where a threat actor attempted to mimic another to thwart attribution efforts, and as such, attribution should rarely be taken as is, but instead with a grain of salt."
Previous and related coverage
- Enterprise companies struggle to control security certificates, cryptographic keys
- Outlaw hacking group kills existing cryptocurrency miners in enterprise server attacks
- KBOT virus takes out system files with no hope of recovery
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0