Recently, researchers have discovered 2 espionage campaigns happening right now in the Middle East through observation in the past few months.
Specifically targeting Palestine; researchers have found methods being used similar to that of MoleRATs which is one of the groups known to be a part of the Gaza Cybergang and has been operating since 2012.
To start with, the first campaign is named “Spark” and uses a backdoor which was first found operating in January 2019. The backdoor helps in victimizing people through phishing by sending out emails containing malicious documents that have titles centered around controversial topics that the user would be curious to open.
According to Cybereason, the company that identified the campaign, these include various ones including the infamous Israeli-Palestinian conflict, the recent killing of General Qasem Soleimani, the Hamas-Fatah conflict & tensions between Hamas and the Egyptian government.
These, though are downloaded usually through Dropbox or another service named Egnyte as a zip/RAR file and pose to be Microsoft Word files but in actuality are executables.
Once the victim would click on this file driven by curiosity, the backdoor will be installed with the process illustrated in the image below.
In a blog post, Cybereason, wrote that this backdoor then works on collecting information, encrypting it and sending it “to the attackers over the HTTP protocol.” Furthermore, it can also be used to actively spy on the user through the device’s microphone and recording keystrokes. Additional payloads can also be installed along with the execution of custom commands. To help avoid detection, it:
- Packages the payloads using the Engima packer which basically secures the executable and prevents it from being analyzed by any third party
- Makes sure the infected user is using Arabic as the keyboard language to avoid “unwanted victims.”
- Keeps a check on anti-virus software and other defense mechanisms using Windows Management
Instrumentation(WMI). If through queries run using WMI, it is found that “certain security products are installed”, Spark will not carry out any of its activities.
The second campaign is “Pierogi,” named after an Eastern & Central European dish, it also uses the same tactic of luring in users through controversial sounding files via email. Some examples are of “Reports on major developments__347678363764”, “final_meeting_9659836_299283789235_rar.exe” and “Hamas_32th_Anniversary__32_1412_847403867_rar.exe.”
It is different from Spark in regards to it being written in Delphi, being considered quite basic and also containing certain hints in the code indicating that it was written by Ukrainian hackers. However, again, it is able to perform a range of functions including the installation of other payloads, spying and executing commands.
Additionally, they also put in certain documents that appear to originate from legitimate authorities but are fake in actuality and maybe for misguiding someone in terms of their political opinion.
To conclude, for now, we do not know the motive of this group but it is believed that they may be doing so to gain information that can be used for political purposes. Furthermore, it is important that MoleRATs not be considered conformity as the group behind this attack. The reason being as Cybereason explains that,
“There are many threat actors operating in the Middle East, and often there are overlaps in TTPs, tools, motivation, and victimology. There have been cases in the past where a threat actor attempted to mimic another to thwart attribution efforts, and as such, attribution should rarely be taken as is, but instead with a grain of salt.”
For those of you who may be concerned about being affected by such attacks, the solution is pretty simple and standard language: do not open files from untrusted sources, especially when they are executables.
Moreover, trust the combined wisdom of the universe and know that a layman would not get access to some top-secret information all of a sudden, the chances that something like this happens are very (very) rare.