| Category | Details |
|---|---|
| Threat Actors | Handala Hacking Team, pro-Palestinian hacktivist group targeting Israeli organizations. Active since December 2023. |
| Campaign Overview | Exploited BSOD issue due to CrowdStrike update on July 19, 2024, to deploy destructive wiper payloads. |
| Target Regions (Victims) | Israeli organizations, businesses, and entities supporting or operating within Israel. |
| Methodology | Phishing emails, leveraging social engineering (crisis events), malicious PDF attachments, NSIS installers, and batch script obfuscation. |
| Product Targeted | Primarily targeting Windows environments using wiper malware and destructive payloads. |
| Malware Reference | Handala Wiper Malware. Payload includes AutoIT components and obfuscated scripts for evading detection. |
| Tools Used | NSIS installer, AutoIT, Telegram bot (for C2), batch scripts with obfuscation, Bring Your Own Vulnerable Driver (BYOVD). |
| Vulnerabilities Exploited | Opportunity-based exploitation of downtime issues (e.g., BSOD), no specific vulnerabilities identified beyond social engineering. |
| TTPs | Spear phishing (T1566.001), Command and Scripting Interpreter (T1059), Obfuscated Batch Scripts (T1027), Time-based Evasion (T1497.003), Disk Wiping (T1561.002). |
| Attribution | Handala Hacking Team (self-claimed). Moderate confidence of Hebrew-speaking member based on linguistic analysis. |
| Recommendations | Detection strategies using Splunk, proactive testing via Atomic Red Team, analysis of suspicious process file paths for detection. |
| Source | Splunk Threat Research Team |
Read full article: Handala’s Wiper: Threat Analysis and Detections | Splunk
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply