Pro-Palestinian TA402 APT Using IronWind Malware in New Attack

As per cybersecurity researchers at Proofpoint, the APT group TA402 operates in support of Palestinian espionage objectives, with a primary focus on intelligence collection.

byDeeba Ahmed

November 14, 2023

3 minute read

The recently discovered IronWind malware is distributed via email attachments, cleverly disguised as official correspondence related to the “Economic Cooperation Program with the Countries of the Gulf Cooperation Council 2023-2024.”

Proofpoint cybersecurity researchers have discovered a new phishing campaign against Israeli entities, launched by a Middle Eastern APT group, TA402. Proofpoint has been monitoring TA402’s activities since 2020.

The group is also known as Gaza Cybergang, Molerats, WIRTE, and Frankenstein. Researchers agree that TA402 is a pro-Palestinian threat actor targeting Israel for intelligence gathering. The group had previously been identified using Facebook, Google Drive, and Dropbox to propagate malware

“TA402 operates in support of Palestinian espionage objectives with a focus on intelligence collection.” This aligns with earlier reports published by Proofpoint on this specific threat actor.”

The company’s latest report, authored by Joshua Miller and the Proofpoint Threat Research Team, revealed that the attackers used a novel initial access downloader dubbed IronWind in this campaign.

IronWind malware is written in the Go programming language. After getting deployed, it allows attackers to load additional malware, such as remote access trojans or keyloggers, to steal sensitive data.

Proofpoint researchers found that the attackers are targeting individuals and organizations linked to the Israeli government or military institutions. The campaign started in July 2023 and continued until October 2023. TA402 has consistently engaged in targeted activities and strongly focused on Middle Eastern and North African entities.

Using the labyrinthine infection chain IronWinds indicates that the threat actors have become more sophisticated in their choice of attack mechanisms and are focusing on evading security measures.

The group used a compromised Ministry of Foreign Affairs email account to target Middle Eastern government officials in this phishing campaign. The email message had an economic-themed social engineering lure that read:

“برنامج التعاون الإقتصادي مع دول مجلس التعاون الخليجي 2023-2024″ (Translation: Economic cooperation program with the countries of the Gulf Cooperation Council 2023-2024,”) the blog post revealed.

What’s interesting is that TA402 used three different delivery methods between July and October. This includes Dropbox links and XLL and RAR file attachments. Each variation leads to the downloading of a DLL containing the multifunctional malware. The email delivered a Dropbox link in July, from where a malicious Microsoft PowerPoint Add-in (PPAM) file was downloaded.

This file contained a macro, which dropped three files- version.dll (IronWind), timeout.exe (IronWind sideloader), and gatherNetworkInfo.vbs. When IronWind is sideloaded, the downloader sends an HTTP GET request to a known TA402 C2 domain (theconomicsnet) hosted on 191.101.78189.

In August, the attacker included an XLL file in the email, which loaded IronWind. In October, the attacker sent an RAR attachment containing a renamed version of tabcal.exe to sideload the downloader instead of using the PPAM file. The same month, TA402 used the Gaza war conflict for the first time as a lure in emails.

TA402 has avoided using cloud services like Dropbox API, which Proofpoint had noticed in its activities in 2021 and 2022, and used attacker-controlled C2 infrastructure.

Pro-Palestinian APT Using IronWind Malware in New Attack — TA402 APT’s infection chain from November 2021 to January 2022 and infection chain in July 2023 campaign (Credit: Proofpoint)

This is a serious threat, and organizations must take steps to protect themselves. They should implement cybersecurity awareness t r aining for employees, keep their systems up to date, and be on the lookout for suspicious activity. Hackread.com is tracking the activities of TA402 and will post updates as they become available.