Gaza Cybergang defrauded high-profile victims across many countries

• The group actively carried out cyber-attacks in 2018 to dupe the victims who mainly worked in the government, education or media sector.
• It was observed that three different groups operating within Gaza Cybergang were sharing victims in their attacks.

A recent report by Kaspersky Lab has revealed that a threat actor group, known as Gaza Cybergang, swindled top-level victims from the Middle East region. Gaza Cybergang is a politically motivated Arabic-speaking cybercrime group that is known to target the Middle East and North Africa (MENA) region, specifically the Palestinian Territories.

According to the report, the 240+ victims in the attacks were mostly journalists, activists or political figures spread across 39 countries. Palestinian Territories was recorded with the highest number of victims. Other countries included Jordan, Israel, Lebanon, Saudi Arabia, Syria, Egypt, and the UAE.

The big picture

• The report findings showed three different groups -- Group1, Group2, and Group3 within Gaza Cybergang, which apparently shared victims between them.
• Group1 was the main perpetrator behind the high-profile victim attacks. The group extensively relied on phishing to target victims. The infrastructure in the phishing campaign consisted of disposable domains and emails that were used as the medium. Furthermore, the campaign had several chains to evade detection.
• The group used paste sites such as Pastebin and GitHub to drop remote access trojans (RAT) in the victims’ systems. This operation is dubbed as ‘SneakyPastes’.
• Once the victim clicked a link in the phish mail, a RAR file is downloaded into the system. This file contained a stage-1 malware which sets itself for further execution to compromise the system.
• The targeted entities are embassies, government entities, education, media outlets, journalists, activists, political parties or personnel, healthcare, and banking.

Dependence on scripting

Although Group1 is said to be the least sophisticated among the three, it was discovered that it made use of numerous scripts in its activities.

“We have identified several implants that leveraged PowerShell, VBS, JS, and .NET for resilience and persistence. The final stage, however, is a .NET application that takes several commands such as directory listing, screenshot, compress, upload, etc,” said the report. This is an indication that the malware deployed by the group banked on persistence mechanisms for successful attacks.