After two months of break, a Middle Eastern advanced persistent-threat (APT) organization has resurfaced and is targeting government institutions in the Middle East -- global government bodies affiliated with geopolitics as a part of its recent malicious activities.
Proofpoint, a company headquartered in Sunnyvale, ascribed this action to a politically motivated threat actor tracked as TA402, colloquially known as Molerats or GazaHackerTeam.
TA402 is supposed to work for objectives that are consistent with military or Palestinian state goals. The threat actor has been operating for a decade with a history of compromising associations mainly in Israel and Palestine. The attacks covered verticals such as technology, telecoms, finance, the academy, the army, the media, and governments.
The two months' break in the operation is not apparent, but the Proofpoint researchers have suggested that it could have played a part either in the holy month of Ramadan or in the recent incidents in the region as well as in the violence which followed in May.
The current wave of attacks started with spear-phishing Arabic-listed emails carrying PDF files embedded in a geofenced malicious URL that can only selectively route victims to the password-protected file if the source IP address of these files is in the targeted Middle East nations.
The beneficiaries outside of the target Group are relocated to benign websites like Al Akhbar (www.al-akhbar.com) and Al Jazeera (www.aljazeera.net), generally Arabic language news websites.
The last step on the infection chain entailed an extraction of the archive to drop a customized implant named LastConn, which is a new version or upgrade of a backdoor called SharpStages that was revealed in December 2020 by Cybereason researcher, as Molerats espionage campaign targeting the Middle East.
The LastConn is executed with a Decoy document, the malware relies largely on Dropbox API for downloading and executing cloud-hosted files in addition to arbitrary instructions and screenshots that are then returned to Dropbox.
The continually expanding toolkit of TA402 emphasizes that the Group continues to develop and adapt tailored malware implants to sneak up past defenses and detect thwarts.
"TA402 is a highly effective and capable threat actor that remains a serious threat, especially to entities operating in and working with government or other geopolitical entities in the Middle East," the researchers concluded. "It is likely TA402 continues its targeting largely focused on the Middle East region."