13 February 2020

Hamas-linked hackers target victims in Palestinian territories


Hamas-linked hackers target victims in Palestinian territories

A new cyber-espionage campaign has been uncovered in the Middle East which is directed at entities and individuals in the Palestinian territories. The attacks are believed to be the work of a group known as MoleRATs (The Gaza Cybergang), an Arabic-speaking threat actor that has been operating in the Middle East since 2012.

According to the Boston-based cybersecurity company Cybereason, there are two separate campaigns happening simultaneously. One of them dubbed “The Spark Campaign” attempts to infect targets (mainly from the Palestinian territories) with the Spark backdoor using social engineering. The campaign lures victims with content related to recent geopolitical events, namely the Israeli-Palestinian conflict, the assassination of Qasem Soleimani, and the ongoing conflict between Hamas and Fatah Palestinian movements.

If victims open the emails and attached malicious files that come in the form of Microsoft Office documents, .PDF, and archive files, an additional archive file from Egnyte or Dropbox is dropped on the system. This archive contains an executable which is the Spark backdoor dropper.

To stay hidden from security solutions the creators of the Spark backdoor use several techniques. More specifically, they the malware with a powerful commercial tool called Enigma Packer and implement language checks to ensure the victims are Arabic speaking to minimize the risk of detection and infection of unwanted victims.

The second campaign which the researchers called “The Pierogi Campaign” also leverages social engineering tricks to infect victims, but in this case the payload is a new, undocumented RAT dubbed Pierogi. First discovered in December 2019, this RAT allows the attackers to spy on victims. The researchers believe that the Pierogi backdoor is not custom-made, but rather obtained by the MoleRATs group in underground communities. Also, the Cybereason found evidence in the code (the Ukranian language embedded in the backdoor) indicating that the malware may have been developed by Ukranian-speaking hackers.


Back to the list

Latest Posts

500 Chrome extensions secretly pilfered data from millions of users

500 Chrome extensions secretly pilfered data from millions of users

The extensions were part of a malvertising and ad-fraud campaign that has been active since at least since January 2019.
14 February 2020
Hamas-linked hackers target victims in Palestinian territories

Hamas-linked hackers target victims in Palestinian territories

The hackers exploit current geopolitical events to spy on Palestinian entities and individuals.
13 February 2020
The Outlaw hacking group returns with updated kit, targets businesses in the U.S and Europe

The Outlaw hacking group returns with updated kit, targets businesses in the U.S and Europe

The group used a combination of pre-existing tools and new techniques to monitor for programs that could detect its malware.
13 February 2020