Glove map

A cyber-espionage group that has targeted Palestinian law enforcement last year is now back in action targeting Palestinian government officials.

These recent attacks started in March 2018, according to evidence surfaced by Israel-based cyber-security firm Check Point. The new attacks seem to fit the same modus operandi of a group detailed in two reports from Cisco Talos and Palo Alto Networks last year.

The APT with a Hollywood obsession returns

Those reports detailed a spear-phishing campaign aimed at Palestinian law enforcement. The malicious emails tried to infect victims with the Micropsia infostealer, a Delphi-based malware that contained many strings referencing characters from the Big Bang Theory and Game Of Thrones TV shows.

Now, the same group appears to be back, and the only thing they've changed is the malware, which is now coded in C++. The TV shows references are still there, this time with mentions to the Big Bang Theory, but also a Turkish TV series named "Resurrection: Ertugrul."

Just like Micropsia, this new malware is also a powerful backdoor that can be extended with second-stage modules at any time.

According to Check Point, the group uses this new and improved backdoor to infect a victim, gather a fingerprint of his workstation, and then collect the names of .doc, .odt, .xls, .ppt, and .pdf documents and sending this list to the attacker's server.

Experts believe the cyber-espionage group analyzes this list in search of sensitive files it could steal. When the attacker finds a "valuable" host, other modules are downloaded to perform other tasks.

Researchers believe this new malware supports 13 modules, based on the structure of its configuration file. The research team says it was able to recover only five modules, and have yet to determine the purpose of others. Below is what researchers currently know about this new malware.

Module Name Purpose
Penny Takes a screenshot of the infected machine and sends it to the server
Wolowitz_Helberg Enumerates running processes, saves their names and their IDs in “sat.txt” and sends the file to the server
Celal_Al Sends a list of documents with certain extensions. The extensions are: doc, docx, odt, xls, xlsx, ppt, pptx, accdb, accde, mdb, pdf, csv
Runfile Runs a file, receives a process name and a file type from the server
Nayyar_Sonmez Downloads a file with a ‘.txt’ extension from a given URL, changes the extension to ‘.exe’ and runs it
Koothrappali Logs details about the system and sends them to the server
Bialik_Gokhan Reboots the system
Hofstadter Terminates a process by name
Parsons_Sheldon Deletes the payload from the startup folder and deletes the actual file
Reshad_Strik Sends a list of the partitions found on the infected machine
Pinar8 No such module in our sample
Mehmet7 No such module in our sample
Bahar6 No such module in our sample

Group now targets members of the Palestinian government

Check Point says that this year, the group appears to be targeting members of the Palestinian National Authority, which is Palestine's interim self-government body.

The theme of the spear-phishing emails is monthly press reports posing to come from the Palestinian Political and National Guidance Commission, sent to individuals connected with the Palestinian National Authority.

"Unlike in 2017, this time the malicious attachment is an executable which is actually a self-extracting archive, containing a decoy document and the malware itself," researchers said.

The self-extracting archive uses a Word-like icon to trick users into running the file and infecting themselves with malware.

Group behind attacks linked to Hamas

Check Point believes the advanced persistent threat (APT) behind these attacks is a group named the Gaza Cybergang. This group also goes under the names of Gaza Hackers Team or Molerats, and in 2016, cyber-security firm ClearSky linked this APT to Hamas, the Palestinian Sunni-Islamist fundamentalist organization, a terrorist organization that's at odds with both Israel and the local government, to some degree.

The Gaza Cybergang appears to have been very busy this spring because last week Israel accused Hamas of trying to lure soldiers into installing malware-infected applications on their phones.

Related Articles:

New Canon Trojan Is the Latest Asset of Sofacy APT Group

APT28 Uses LoJax, First UEFI Rootkit Seen in the Wild

State-Sponsored Actors Focus Attacks on Asia