A cyber-espionage group that has targeted Palestinian law enforcement last year is now back in action targeting Palestinian government officials.
These recent attacks started in March 2018, according to evidence surfaced by Israel-based cyber-security firm Check Point. The new attacks seem to fit the same modus operandi of a group detailed in two reports from Cisco Talos and Palo Alto Networks last year.
Those reports detailed a spear-phishing campaign aimed at Palestinian law enforcement. The malicious emails tried to infect victims with the Micropsia infostealer, a Delphi-based malware that contained many strings referencing characters from the Big Bang Theory and Game Of Thrones TV shows.
Now, the same group appears to be back, and the only thing they've changed is the malware, which is now coded in C++. The TV shows references are still there, this time with mentions to the Big Bang Theory, but also a Turkish TV series named "Resurrection: Ertugrul."
Just like Micropsia, this new malware is also a powerful backdoor that can be extended with second-stage modules at any time.
According to Check Point, the group uses this new and improved backdoor to infect a victim, gather a fingerprint of his workstation, and then collect the names of .doc, .odt, .xls, .ppt, and .pdf documents and sending this list to the attacker's server.
Experts believe the cyber-espionage group analyzes this list in search of sensitive files it could steal. When the attacker finds a "valuable" host, other modules are downloaded to perform other tasks.
Researchers believe this new malware supports 13 modules, based on the structure of its configuration file. The research team says it was able to recover only five modules, and have yet to determine the purpose of others. Below is what researchers currently know about this new malware.
|Penny||Takes a screenshot of the infected machine and sends it to the server|
|Wolowitz_Helberg||Enumerates running processes, saves their names and their IDs in “sat.txt” and sends the file to the server|
|Celal_Al||Sends a list of documents with certain extensions. The extensions are: doc, docx, odt, xls, xlsx, ppt, pptx, accdb, accde, mdb, pdf, csv|
|Runfile||Runs a file, receives a process name and a file type from the server|
|Nayyar_Sonmez||Downloads a file with a ‘.txt’ extension from a given URL, changes the extension to ‘.exe’ and runs it|
|Koothrappali||Logs details about the system and sends them to the server|
|Bialik_Gokhan||Reboots the system|
|Hofstadter||Terminates a process by name|
|Parsons_Sheldon||Deletes the payload from the startup folder and deletes the actual file|
|Reshad_Strik||Sends a list of the partitions found on the infected machine|
|Pinar8||No such module in our sample|
|Mehmet7||No such module in our sample|
|Bahar6||No such module in our sample|
Check Point says that this year, the group appears to be targeting members of the Palestinian National Authority, which is Palestine's interim self-government body.
The theme of the spear-phishing emails is monthly press reports posing to come from the Palestinian Political and National Guidance Commission, sent to individuals connected with the Palestinian National Authority.
"Unlike in 2017, this time the malicious attachment is an executable which is actually a self-extracting archive, containing a decoy document and the malware itself," researchers said.
The self-extracting archive uses a Word-like icon to trick users into running the file and infecting themselves with malware.
Check Point believes the advanced persistent threat (APT) behind these attacks is a group named the Gaza Cybergang. This group also goes under the names of Gaza Hackers Team or Molerats, and in 2016, cyber-security firm ClearSky linked this APT to Hamas, the Palestinian Sunni-Islamist fundamentalist organization, a terrorist organization that's at odds with both Israel and the local government, to some degree.
The Gaza Cybergang appears to have been very busy this spring because last week Israel accused Hamas of trying to lure soldiers into installing malware-infected applications on their phones.