Pro-Hamas cybergang develops complex infection tactics with new downloader

A threat actor targeting West Asian governments now uses a labyrinthine infection chain based on delivering a new initial access downloader dubbed IronWind, cybersecurity company Proofpoint has observed.

Advanced persistent threat TA402, which is also known as Gaza Cybergang, Molerats, Frankenstein, or Wirte, has evolved in its tactics targeting Israel and other West Asian and North African government entities.

Now the cybergang, operating in the interest of the Palestinian Territories, has a new initial access downloader, IronWind, which is used to download shellcode to infected systems. The cybercriminals have also adjusted their delivery methods, now using XLL and RAR file attachments in their phishing campaigns instead of Dropbox links.

“This threat actor has consistently engaged in extremely targeted activity, pursuing less than five organizations with any single campaign,” Proofpoint researchers write, tracking the group since 2020.

The infection chain is complex and advancing. Starting in July 2023, the gang used variations of Dropbox links, XLL file attachments, and RAR file attachments to make users download multifunctional malware.

Despite the current conflict in the region, Proofpoint hasn’t observed any changes in TA402 targeting or seen any indications that their goals are changing.

“It remains possible that this threat actor will redirect its resources as events continue to unfold,” they speculate.

Recently, TA402 engaged in a phishing campaign using a compromised Ministry of Foreign Affairs email account to target West Asian government entities.

The emails used economic-themed social engineering lures, such as “Economic cooperation program with the countries of the Gulf Cooperation Council 2023-2024” or “List of persons and entities (designated as terrorists) by the Anti-Money Laundering and Terrorist Financing Authority.”

The emails delivered malicious links or files containing macros that installed three files: version.dll (IronWind), timeout.exe, and gatherNetworkInfo.vbs.

Once sideloaded, IronWinds starts communicating with the control and command server, which provides shellcode for the third stage of infection. Proofpoint’s analysis showed that the shellcode served as a multipurpose loader.

TA402 infection chain. Image by Proofpoint.

“TA402 regularly employs geofencing techniques to make detection of its malicious activity more difficult. This aspect of the threat actor’s tactics, techniques, and procedures has remained consistent since at least 2020. Even with the more elaborate infection chains observed in 2023, TA402 continues to include URLs that will at times redirect to decoy documents hosted on legitimate document hosting platforms if the geofencing is not bypassed,” researchers noted.

Proofpoint researchers assess that TA402 operates in support of Palestinian espionage objectives with a focus on intelligence collection.

They warn that the threat actor remains persistent and innovative, routinely retooling its attack methods and malware in support of its cyber espionage mandate.

“The group could find itself under direction to adjust its targeting or social engineering lures in reaction to the ongoing Israel-Hamas conflict,” they concluded.

Google's Russian subsidiary has been under pressure in Russia for failing to delete content Moscow deems illegal and for restricting access to some Russian media on YouTube.

The technology giant's Russian unit filed for bankruptcy in summer 2022 after authorities seized its bank account, making it impossible to pay staff and vendors.

However, while the Kremlin has banned some platforms, including Twitter and Facebook, it has not blocked access to Google’s services, and its search engine and YouTube platform, both free, have continued operating. Google did not immediately respond to emailed requests for comment.

More from Cybernews:

What Omegle teaches us about online vulnerabilities

Boeing breach: LockBit leaks 50 GB of data

Royal Ransomware has a new name after demanding $275M from 350 victims

Denmark hit with largest cyberattack on record

Google has had enough: will see copyright and Bard scammers in court

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked