| Category | Details |
|---|---|
| Threat Actors | WIRTE, affiliated with Hamas and likely part of the Gaza Cybergang, a subgroup identified as TA402. |
| Campaign Overview | Conducted espionage and disruptive operations targeting the Middle East and Israel, including two waves of SameCoin wiper attacks in 2024. |
| Target Regions | Middle Eastern countries: Palestinian Authority, Jordan, Iraq, Egypt, Saudi Arabia. Disruptive campaigns focused on Israel. |
| Methodology | - Espionage: Phishing campaigns, malicious PDFs, DLL sideloading, and IronWind loaders. - Disruption: Wiper malware and Israeli-centric phishing lures. |
| Product Targeted | Systems in targeted organizations and infrastructure, including Windows and Android platforms. |
| Malware Reference | IronWind loader, SameCoin wiper, and Havoc Demon payloads. |
| Tools Used | Custom loaders, Havoc framework, DLL sideloading, IronWind loader, malicious PDFs, and .NET shellcode. |
| Vulnerabilities Exploited | Legitimate executables for DLL sideloading, tailored infection vectors for espionage and wiper campaigns. |
| TTPs | - Embedding payloads in HTML tags. - Phishing through fake domains. - Deployment of unique user agents. - Redirects to legitimate sites for non-targets. |
| Attribution | Strong affiliation with Hamas, based on targeting interests, propaganda themes, and historical ties to Gaza Cybergang and Molerats. |
| Recommendations | - Enhance detection for malicious loaders and phishing domains. - Monitor HTML-based payload delivery. - Protect against DLL sideloading exploits. |
| Source | Check Point Research |
Read full article: Read More
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply