Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Middle Eastern Governments. Show all posts

WIRTE Hacker Group Constantly Targeting Middle East Countries

 

Cyberattacks in the Middle East have typically been carried out by cybercriminals targeting the primary sectors of governments such as oil and gas sectors and other key industries, however, since 2019, a conspiratorial malware campaign is targeting the middle east region that used malicious Microsoft Excel and Word documents to victimize government and its important organs such as military groups, diplomatic agencies, law firms, and financial institutions mainly based in the Middle East. 

Russian cybersecurity company Kaspersky has investigated and confirmed that the state-sponsored hacking group, 'WIRTE' is behind the attacks. The earlier investigation done by Kaspersky researchers disclosed the method of targeting by the WIRTE group. “MS Excel droppers that use hidden spreadsheets and VBA macros to drop their first stage implant”, which is a Visual Basic Script (VBS) with functionality to amass system information and execute malicious code sent by the hackers on the vulnerable system. 

The cyber security researchers at Kaspersky have shown some possibilities after analyzing the campaign as well as the adversary’s toolset and methodology that the WIRTE group has links with other state-sponsored cyber groups known as the Gaza Cyber gang. Furthermore, Armenia, Cyprus, Egypt, Jordan, Palestine, Syria, Lebanon, and Turkey are among the countries that were affected. 

"WIRTE operators use simple and rather common TTPs that have allowed them to remain undetected for a long period of time. This suspected subgroup of the Gaza Cyber gang used simple yet effective methods to compromise its victims with better OpSec than its suspected counterparts,"  Kaspersky researcher Maher Yamout said.

"WIRTE modified their toolset and how they operate to remain stealthy for a longer period of time. Living-off-the-land (LotL) techniques are an interesting new addition to their TTPs. Using interpreted language malware such as VBS and PowerShell scripts, unlike the other Gaza Cyber gang subgroups, adds flexibility to update their toolset and avoid static detection controls," Yamout added.

Lyceum Threat Group Targeting Telecom Companies, ISPs Across Middle Eastern Countries

 

Cybersecurity researchers have uncovered a new cyberespionage campaign by Iranian hackers targeting the networks of telecoms companies and internet service providers (ISPs).

Tracked as Lyceum (also known as Siamese kitten or Hexane), the Iranian APT group has mainly targeted organizations in oil, gas, and telecom industries across Africa and Middle Eastern countries. But in recent times, the group has shifted its focus to include the technology sector.

Earlier this week, Accenture Cyber Threat Intelligence and Prevailing Adversarial Counterintelligence published a report detailing the threat group’s recent campaigns. Between July and October this year, Lyceum was identified in assaults against ISPs and telecoms organizations across Israel, Morocco, Tunisia, and Saudi Arabia using two new malware variants, dubbed Shark and Milan. 

The Shark backdoor is a 32-bit executable written in C# and .NET generates a configuration file for DNS tunneling or HTTP C2 communications, whereas Milan is a 32-bit remote access trojan (RAT) that can retrieve data from the compromised system and exfiltrate it to hosts derived from domain generation algorithms (DGAs). 

Both backdoors communicate with the groups' command-and-control (C2) servers. The APT maintains a C2 server network that connects to the group's backdoors, consisting of over 20 domains, including six that were earlier not associated with the threat actors. Previously, ClearSky and Kasperksy have disclosed the malware families. Additionally, researchers also discovered a new backdoor similar to newer versions of Milan, which sent beacons linked to potential attacks against a Tunisian telecom firm and a government agency in Africa. 

"It is unknown if the Milan backdoor beacons are coming from a customer of the Moroccan telecommunication operator or from internal systems within the operator. However, since Lyceum has historically targeted telecommunication providers and the Kaspersky team identified recent targeting of telecommunication operators in Tunisia, it would follow that Lyceum is targeting other north Africa telecommunication companies,” the researchers stated. 

At the time of the report’s publication, the cybersecurity teams stated that there are still multiple identified exploits that remain active. The hacking group typically employs credential stuffing attacks and brute-force attacks as an initial attack vector. Individual companies of interest are normally targeted, and then later used as a springboard to launch spear-phishing assaults against high-profile executives in an organization.

Latest Campaign by Molerats Hackers Target Middle Eastern Governments

 

After two months of break, a Middle Eastern advanced persistent-threat (APT) organization has resurfaced and is targeting government institutions in the Middle East -- global government bodies affiliated with geopolitics as a part of its recent malicious activities. 

Proofpoint, a company headquartered in Sunnyvale, ascribed this action to a politically motivated threat actor tracked as TA402, colloquially known as Molerats or GazaHackerTeam. 

TA402 is supposed to work for objectives that are consistent with military or Palestinian state goals. The threat actor has been operating for a decade with a history of compromising associations mainly in Israel and Palestine. The attacks covered verticals such as technology, telecoms, finance, the academy, the army, the media, and governments. 

The two months' break in the operation is not apparent, but the Proofpoint researchers have suggested that it could have played a part either in the holy month of Ramadan or in the recent incidents in the region as well as in the violence which followed in May. 

The current wave of attacks started with spear-phishing Arabic-listed emails carrying PDF files embedded in a geofenced malicious URL that can only selectively route victims to the password-protected file if the source IP address of these files is in the targeted Middle East nations. 

The beneficiaries outside of the target Group are relocated to benign websites like Al Akhbar (www.al-akhbar.com) and Al Jazeera (www.aljazeera.net), generally Arabic language news websites. 

The last step on the infection chain entailed an extraction of the archive to drop a customized implant named LastConn, which is a new version or upgrade of a backdoor called SharpStages that was revealed in December 2020 by Cybereason researcher, as Molerats espionage campaign targeting the Middle East. 

The LastConn is executed with a Decoy document, the malware relies largely on Dropbox API for downloading and executing cloud-hosted files in addition to arbitrary instructions and screenshots that are then returned to Dropbox. 

The continually expanding toolkit of TA402 emphasizes that the Group continues to develop and adapt tailored malware implants to sneak up past defenses and detect thwarts. 

"TA402 is a highly effective and capable threat actor that remains a serious threat, especially to entities operating in and working with government or other geopolitical entities in the Middle East," the researchers concluded. "It is likely TA402 continues its targeting largely focused on the Middle East region."