A new malware campaign has been detected in the Middle East following victims in the Palestinian territories.
An investigation into the attacks, carried out by the Cybereason Nocturnus team and released on Thursday, suggests that one of the groups called Gaza Cybergang - also known as the Molerats - is potentially responsible.
It was identified by Kaspersky as three separate "factions" - MoleRATs, a group affiliated with the Desert Falcons, and Operation Parliament - MoleRATs is a Arabic-speaking, politically motivated group that has been operating since 2012.
Kaspersky says the MoleRATs team is the least sophisticated of the three and while all three use different attack styles, they all share common tools and commands after the initial infections.
Cybereason says that in recent months, the MoleRATs team has been trying to infiltrate systems both organizations and individuals. However, two separate malware campaigns appear to be happening at the same time.
The first, called Spark, uses social engineering as its primary carrier. Phishing emails try to attract victims by exploiting politically sensitive ones contentsuch as the Israeli-Palestinian conflict, tensions between Hamas and the Egyptian government and the killing of Qasem Soleimani.
If victims open emails and associated malicious files, these misleading documents, including Microsoft Office, .PDF and file folders. Everything is trying to entice victims to download an additional file from Egnyte or Dropbox. When opened, another file - disguised as a Microsoft Word document - contains an executable file, which is Spark's dropper backdoor.
The backdoor Spark, which it likely is software customized by hackers, it is able to collect system information on an infected machine, encrypt this information and send it to a command-and-control (C2) server, downloading additional malware payloads and finally execute the commands.
The malware will complete the payloads using Enigma in an attempt to prevent detection and detect antivirus products using WMI. Spark will also confirm that his victim is of Arabic descent based on keyboard and language settings.
Pierogi is the second campaign, which also uses social engineering, but uses a different set of malicious documents, and a brand new backdoor.
In most cases, cybersecurity researchers say they use Microsoft Word visualized documents, also leading to further downloads malicious files via macros. The names are usually called "Report on major developments_347678363764.exe," "Employee-entitlements-2020.doc," and "Hamas_32th_Anniversary__32_1412_847403867_rar.exe".
Then a backdoor appears. It was named Pierogi and is written in Delphi, and appears to have been created by hackers who know Ukrainian, as the Ukrainian language found in the code indicates.
Despite its simplicity, malware is still able to collect and steal data system, download additional payloads, receive screenshots and execute commands via CMD.
Cybereason suspects that the purpose of both campaigns is to "obtain sensitive information from victims and use it for political purposes".