13 February 2020

Hamas-linked hackers target victims in Palestinian territories


Hamas-linked hackers target victims in Palestinian territories

A new cyber-espionage campaign has been uncovered in the Middle East which is directed at entities and individuals in the Palestinian territories. The attacks are believed to be the work of a group known as MoleRATs (The Gaza Cybergang), an Arabic-speaking threat actor that has been operating in the Middle East since 2012.

According to the Boston-based cybersecurity company Cybereason, there are two separate campaigns happening simultaneously. One of them dubbed “The Spark Campaign” attempts to infect targets (mainly from the Palestinian territories) with the Spark backdoor using social engineering. The campaign lures victims with content related to recent geopolitical events, namely the Israeli-Palestinian conflict, the assassination of Qasem Soleimani, and the ongoing conflict between Hamas and Fatah Palestinian movements.

If victims open the emails and attached malicious files that come in the form of Microsoft Office documents, .PDF, and archive files, an additional archive file from Egnyte or Dropbox is dropped on the system. This archive contains an executable which is the Spark backdoor dropper.

To stay hidden from security solutions the creators of the Spark backdoor use several techniques. More specifically, they the malware with a powerful commercial tool called Enigma Packer and implement language checks to ensure the victims are Arabic speaking to minimize the risk of detection and infection of unwanted victims.

The second campaign which the researchers called “The Pierogi Campaign” also leverages social engineering tricks to infect victims, but in this case the payload is a new, undocumented RAT dubbed Pierogi. First discovered in December 2019, this RAT allows the attackers to spy on victims. The researchers believe that the Pierogi backdoor is not custom-made, but rather obtained by the MoleRATs group in underground communities. Also, the Cybereason found evidence in the code (the Ukranian language embedded in the backdoor) indicating that the malware may have been developed by Ukranian-speaking hackers.


Back to the list

Latest Posts

PayPal customers hit with fraudulent charges via Google Pay

PayPal customers hit with fraudulent charges via Google Pay

It's not clear what vulnerability is being exploited, but the issue may be related to a bug reported to PayPal a year ago.
25 February 2020
Croatia’s largest petrol station chain joins list of victims of ransomware attacks

Croatia’s largest petrol station chain joins list of victims of ransomware attacks

The CLOP ransomware family is suspected to be involved in the attack.
21 February 2020
WordPress ThemeREX plugin flaw is being actively exploited to create rogue admin accounts

WordPress ThemeREX plugin flaw is being actively exploited to create rogue admin accounts

The flaw in the ThemeREX Addons plugin can be used to remotely execute code on websites.
20 February 2020