A hacking group, which appears to be a part of the Gaza cyber gang, has been discovered carrying out attacks using malicious Excel 4.0 macros. The group named WIRTE has been targeting high-profile public and private entities in the Middle East since 2019.
What has happened?
Kaspersky examined the toolset and method used in the campaign and claimed with low confidence that the group has pro-Palestinian motives.
The group uses phishing emails laden with Excel documents that download and install malware payloads.
- The malicious documents in phishing emails have logos and themes that impersonate brands, authorities, or the targeted organization.
- The Excel dropper runs multiple formulas in a hidden column to hide the ‘enable editing’ request from the original file. Soon, a secondary spreadsheet hosting the decoy gets unveiled and simultaneously avoids any red flags.
- Then, the dropper runs formulas to perform three anti-sandbox checks. If passed, a VBS script writes a PowerShell snippet, along with two registry keys for persistence.
Who are the targets?
- The group is targeting a wide variety of industries such as financial services, legal services, government, diplomatic, military, and technology.
- The group has targeted multiple regions, including Armenia, Cyprus, Egypt, Jordan, Lebanon, Palestine, Syria, and Turkey.
Use of hidden command and control
The attackers have placed their C2 domains behind Cloudflare to mask the actual IP addresses. However, researchers identified some of them that are hosted in Ukraine and Estonia.
- Most of these domains were registered in December 2019, implying the group's ability to evade detection for long periods.
- In recent intrusions, TCP/443 over HTTPS in C2 communication was used, although they used ports 2096/2087 as well.
Conclusion
Researchers are warning that even though the TTPs used by the WIRTE group are simple, they are still very effective. The group is now expanding its targeting scope to financial institutions and large private organizations. Therefore, organizations in targeted regions should stay vigilant against such attacks.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/bec0_shutterstock_410460505.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/d2b0_shutterstock_1101060608.jpg)
