The Cyber-Espionage group returns with new attacks after one year



[ad_1]

<img alt = "A cyber espionage group that targeted the application of Palestinian law last year is now back in action against Palestinian government officials.

These recent attacks have Started in March 2018, according to evidence revealed by Israel's cyber-security company Check Point.The new attacks appear to correspond to the same modus operandi of a group described in two Cisco Talos and Palo Alto Networks reports. last year.

APT with a Hollywood obsession returns

These reports detailed a spearfishing campaign aimed at Palestinian Law Enforcement.Malicious emails attempted to infect the victims with Micropsia infostealer, Delphi-based malware that contained numerous strings referring to Big Bang Theory and Game Of Thrones television characters.

M now the same group seems to be back, and the only thing they have changed is the malware, which is now coded in C ++. The references of the TV shows are still there, this time with references to the Big Bang Theory, but also a Turkish TV series called "Resurrection: Ertugrul."

Like Micropsia, this new malware is also a powerful backdoor that can be expanded with second-stage modules at any time.

According to Check Point, the group uses this new and improved backdoor to infect a victim, collect a fingerprint from their workstation, and then collect the names of .doc, .odt ,. The documents xls, .ppt and .pdf and sending this list to the attacker's server.

Experts believe that the cyber-spy group is badyzing this list in search of sensitive files that it could steal. When the attacker finds a "valuable" host, other modules are downloaded to perform other tasks.

Researchers believe that this new malware supports 13 modules, depending on the structure of its configuration file. The research team says that she was able to recover only five modules and has not yet determined the purpose of the others. Here is what researchers are currently aware of on this new malware

Module name Purpose
Penny Takes a screenshot of the infected machine and sends it to the server
] Wolowitz_Helberg Enumerates processes in progress, saves their names and IDs in "sat.txt" and sends the file to the server
Celal_Al Sends a list of documents with certain extensions. The extensions are: doc, docx, odt, xls, xlsx, ppt, pptx, accdb, accde, mdb, pdf, csv
Runfile Execute a file, receive a process name and a file type from the server [19659015] Nayyar_Sonmez Downloads a file with an extension .txt & # 39; of a given URL, change the extension to .exe & # 39; and executes
Koothrappali Records details about the system and sends them to the server
Bialik_Gokhan Restarts the system
Hofstadter Ends a process by its name
Parsons_Sheldon Removes the payload from the startup folder and removes the actual file
Reshad_Strik Sends a list of the scores found on the infected machine
Pinar8 No module in our example
Mehmet7 No module in our example
Bahar6 None in our example

] The target group now members of the Palestinian government

Check Point says that this year the group seems to target members of the Palestinian National Authority, which is the interim body of Palestinian self-government.

The theme of phishing e-mails is the monthly press reports from the Palestinian Political and National Orientation Commission sent to individuals. "Unlike 2017, this time, the malicious attachment is an executable that is actually a self-extracting archive, containing a decoy document and the malware itself," said the researchers

. -Extract archives uses an icon similar to Word to trick users in the execution of the file and infect with malware.

Group behind Hamas-related attacks

Check Point believes that the persistent persistent threat (APT) behind these attacks is a group called the Cybergang of Gaza. This group is also known as the Gaza Hackers Team or Molerats, and in 2016 the cyber security company ClearSky linked this APT to Hamas, the Palestinian-Sunni fundamentalist organization, a terrorist organization that disagrees with Israel and Israel. The local government

The Cybergang of Gaza seems to have been very busy this spring because last week Israel accused Hamas of trying to lure soldiers into the facility. applications infected with malware on their phones.

[ad_2]
Source link