Palestinian Authorities Under Cyber Attack
A cyber-espionage group knows as the Gaza Cybergang that targeted Palestinian law enforcement last year is back in action, this time targeting Palestinian government officials.
These recent attacks started in March 2018, according to evidence surfaced by Israel-based cybersecurity firm Check Point. The new attacks seem to fit the same modus operandi of a group detailed in two reports from Cisco Talos and Palo Alto Networks last year.
The APT with a Hollywood obsession returns
Those reports detailed a spear-phishing campaign aimed at Palestinian law enforcement. The malicious emails tried to infect victims with the Micropsia infostealer, a Delphi-based malware that contained many strings referencing characters from the Big Bang Theory and Game Of Thrones TV shows.
Now, the same group appears to be back, and the only thing they've changed is the malware, which is now coded in C++. The TV shows references are still there, this time with mentions to the Big Bang Theory, but also a Turkish TV series named "Resurrection: Ertugrul."
Just like Micropsia, this new malware is also a powerful backdoor that can be extended with second-stage modules at any time.
According to Check Point, the group uses this new and improved backdoor to infect a victim, gather a fingerprint of his workstation, and then collect the names of .doc, .odt, .xls, .ppt, and .pdf documents and sending this list to the attacker's server.
Experts believe the cyber-espionage group analyses this list in search of sensitive files it could steal. When the attacker finds a "valuable" host, other modules are downloaded to perform other tasks.
Researchers believe this new malware supports 13 modules, based on the structure of its configuration file. The research team says it was able to recover only five modules, and have yet to determine the purpose of others.
Group now targets members of the Palestinian government
Check Point says that this year, the group appears to be targeting members of the Palestinian National Authority, which is Palestine's interim self-government body.
The theme of the spear-phishing emails is monthly press reports posing to come from the Palestinian Political and National Guidance Commission, sent to individuals connected with the Palestinian National Authority.
"Unlike in 2017, this time the malicious attachment is an executable which is actually a self-extracting archive, containing a decoy document and the malware itself," researchers said.
The self-extracting archive uses a Word-like icon to trick users into running the file and infecting themselves with malware.
Group behind attacks linked to Hamas
Check Point believes the advanced persistent threat (APT) behind these attacks is a group named the Gaza Cybergang. This group also goes under the names of Gaza Hackers Team or Molerats, and in 2016, cyber-security firm ClearSky linked this APT to Hamas, the Palestinian Sunni-Islamist fundamentalist organization, a terrorist organisation that's at odds with both Israel and the local government, to some degree.
The Gaza Cybergang appears to have been very busy this spring because recently Israel accused Hamas of trying to lure soldiers into installing malware-infected applications on their phones.
You Might Also Read:
Middle East: Cyberwar Heats Up:
