Hamas-Linked Hackers Add Insurance and Retail to Target List
MoleRATs, a politically-motivated threat actor apparently linked to the Palestinian terrorist organization Hamas, has expanded its target list to include insurance and retail industries, Palo Alto Networks’ security researchers report.
Also referred to as Gaza Hackers Team, Gaza Cybergang, Extreme Jackal, Moonlight, and DustySky, the advanced persistent threat (APT) group has been active since at least 2011, targeting various governmental organizations around the world, as well as telecommunications companies.
Between October 2 and December 9, 2019, the hacking group was observed targeting eight organizations in six different countries. The victims are from the government, telecommunications, insurance and retail industries, with the last two representing atypical targets for the group.
The targets were located in the United Arab Emirates, the United Kingdom, Spain, the United States, Djibouti, and Saudi Arabia.
All attacks used similar email subject and attachment file names, but no specific social engineering themes were employed, which likely diminished the efficiency of the attempts.
Spear-phishing emails were leveraged to deliver malicious documents — mostly Word documents, but also one PDF — which in turn attempted to trick the intended victim into enabling content to run a macro, or force them into clicking a link to download a malicious payload.
The Spark backdoor was used in most of these assaults, allowing the attackers to open applications and run command line commands on the compromised system. The malware has been attributed to the Gaza Cybergang before and appears to have been used by the group since at least 2017.
To avoid detection and impede analysis, the hackers password-protected the delivery documents, ensured that the Spark payload would only run on systems with an Arabic keyboard and locale, and also obfuscated the payloads using the commercial packer Enigma. They also encrypted data in HTTP POST requests and responses to the command and control (C&C) server.
One of the delivery documents observed in these attacks was previously discussed by Cisco Talos’ researchers in relation to the JhoneRAT payload, suggesting that the Gaza Cybergang might be employing this piece of malware as well.
Some of the delivery documents analyzed led to a modular payload that requires a “chain of successful communications with a C2 server for a successful infection,” Palo Alto Networks reveals. This makes post-intrusion analysis difficult, as the researchers aren’t always able to retrieve all components.
“This behavior can assist the adversary in evading automated defenses, as they can deploy their infrastructure at time of attack and avoid having additional artifacts available for further analysis,” the researchers note.
Another document attempted to trick the victim into enabling macros to fetch a base64-encoded executable from Google Drive. This file is a compiled AutoIt script that installs an embedded executable, runs it, and ensures persistence. The executable then fetches a variant of the Spark backdoor.
The PDF document observed in one of the attacks contained a message meant to coerce the recipient into clicking a link that would fetch the malicious payload. A blackmail-like approach is employed: victim is told the attacker has compromising pictures of the recipient and that they intend to release them to the media.
The security researchers were able to identify code connections between the delivery documents, which then led them to the discovery of additional documents and of the domain infrastructure employed by the attackers.
Spark, the backdoor employed in these attacks, appears to have been used by the Gaza Cybergang in the Operation Parliament campaign that was detailed in early 2018. Palo Alto Networks gathered dozens of samples, with creation dates ranging from March 2017 to January 2020 and identified two versions of the malware: 2.2, created three years ago, and 4.2, created in late December 2019 and January 2020.
Spark was used in campaigns in January 2019 and January 2020, and a comparison between the attacks revealed a change in payload delivery method, but also an evolution of the backdoor itself, suggesting that the threat group is continually developing the malware using freely available libraries.