As Palestinian territories are targeted by alleged Gazan hackers in a two-pronged espionage … [+]
Palestinian territories are being targeted by Gazan hackers in a two-pronged espionage campaign, security researchers at Cybereason have found. The findings confirm the presence of a new and mysterious backdoor that can be used to spy on targets related to the Palestinian government.
The Cybereason Nocturnus team, which has over the last few months been tracking recent espionage campaigns targeting the Middle East, unearthed two campaigns specifically directed at entities and individuals in the Palestinian territories.
Attribution cannot be certain, but the Cybereason researchers’ investigation shows multiple similarities to previous attacks attributed to a group called MoleRATs (aka The Gaza Cybergang)–Arabic-speaking, politically motivated adversaries that have been operating in the Middle East since 2012. Of course, it could be that another adversary is masking its identity by posing as the Gazan group.
Cybereason’s analysis focuses on two separate campaigns that researchers say are happening simultaneously. According to the researchers, the two campaigns differ in terms of tools, server infrastructure, and nuances in decoy content and intended targets.
The Spark campaign: Stealthy and targeted
The first, which they call the Spark campaign, social engineers its victims to infect them with the Spark backdoor. In this case, the backdoor itself is not new–it first emerged in January 2019 and has been active ever since.
The social engineering tactics used to entice victims focus on recent geopolitical events, especially the Israeli-Palestinian conflict, the assassination of Qasem Soleimani, and the ongoing conflict between Hamas and Fatah Palestinian movements.
The perpetrators of the Spark campaign are stealthy and good at staying under the radar. The Cybereason researchers explain: ““They pack the malware with a powerful commercial tool called Enigma Packer and implement language checks to ensure the victims are Arabic speaking. This minimizes the risk of detection and infection of unwanted victims.”
Targeting Palestinians, specifically those related to the government, Cybereason suspects the threat actor wants to obtain sensitive information from the victims and leverage it for political purposes.
The Pierogi campaign: A new RAT
The second campaign is dubbed the Pierogi campaign by researchers. Again, it takes advantage of social engineering to perform its attacks, but the intended results are different: Attacks intend to infect victims with a so far undocumented remote access trojan (RAT) called Pierogi–a new backdoor that Cybereason first discovered December 2019.
In this campaign, say the researchers, the attackers use different tactics, techniques and procedures (TTPs) and decoy documents reminiscent of previous campaigns by MoleRATs involving the Micropsia and Kaperagent malware.
Probably first developed by Ukrainian speaking hackers and bought on underground forums on the darknet, the Pierogi backdoor allows attackers to spy on their victims and is likely used for politically driven espionage. “The campaign seems to target Palestinian individuals and entities, likely related to the Palestinian government,” Cybereason researchers say.
The backdoor can collect information about the infected machine; upload files to the attackers’ server; download additional payloads; take screenshots from the infected machine; and execute arbitrary commands via the CMD shell.
The backdoor is also pretty sneaky. It implements a few checks to ensure it is running in a safe environment, looking for antivirus and other security products.
Espionage has been going on for years, and this campaign is not different in that respect. “This is how the game of espionage is played by nation states–or contractors for nation states–trying to breach operational security,” says Ian Thornton-Trump, CISO at Cyjax. And, he says, the stakes could be “very high.”
Thornton-Trump says many nations use campaigns like this to direct kinetic strikes on ring leaders. But there is another dimension to this, he says. “Infiltration of the communication networks causes disruption of planning and introduces a sense of mistrust among actors and leaders.
“These, in most cases, highly-classified operations yield high-value targets’ location and activities. And from a counter terrorism perspective, this information and communication disruption is vital.”