Thursday, April 9, 13:10
Home security New malware attacks detected in the Middle East!

New malware attacks detected in the Middle East!

A new malware campaign has been detected in the Middle East following victims in the Palestinian territories.

An investigation into the attacks, carried out by the Cybereason Nocturnus team and released on Thursday, suggests that one of the groups called Gaza Cybergang - also known as the Molerats - is potentially responsible.

It was identified by Kaspersky as three separate "factions" - MoleRATs, a group affiliated with the Desert Falcons, and Operation Parliament - MoleRATs is a Arabic-speaking, politically motivated group that has been operating since 2012.


Kaspersky says the MoleRATs team is the least sophisticated of the three and while all three use different attack styles, they all share common tools and commands after the initial infections.

Cybereason says that in recent months, the MoleRATs team has been trying to infiltrate systems both organizations and individuals. However, two separate malware campaigns appear to be happening at the same time.

- Advertisement -

The first, called Spark, uses social engineering as its primary carrier. Phishing emails try to attract victims by exploiting politically sensitive ones contentsuch as the Israeli-Palestinian conflict, tensions between Hamas and the Egyptian government and the killing of Qasem Soleimani.

If victims open emails and associated malicious files, these misleading documents, including Microsoft Office, .PDF and file folders. Everything is trying to entice victims to download an additional file from Egnyte or Dropbox. When opened, another file - disguised as a Microsoft Word document - contains an executable file, which is Spark's dropper backdoor.

The backdoor Spark, which it likely is software customized by hackers, it is able to collect system information on an infected machine, encrypt this information and send it to a command-and-control (C2) server, downloading additional malware payloads and finally execute the commands.

The malware will complete the payloads using Enigma in an attempt to prevent detection and detect antivirus products using WMI. Spark will also confirm that his victim is of Arabic descent based on keyboard and language settings.

Pierogi is the second campaign, which also uses social engineering, but uses a different set of malicious documents, and a brand new backdoor.

In most cases, cybersecurity researchers say they use Microsoft Word visualized documents, also leading to further downloads malicious files via macros. The names are usually called "Report on major developments_347678363764.exe," "Employee-entitlements-2020.doc," and "Hamas_32th_Anniversary__32_1412_847403867_rar.exe".

Then a backdoor appears. It was named Pierogi and is written in Delphi, and appears to have been created by hackers who know Ukrainian, as the Ukrainian language found in the code indicates.

Despite its simplicity, malware is still able to collect and steal data system, download additional payloads, receive screenshots and execute commands via CMD.

Cybereason suspects that the purpose of both campaigns is to "obtain sensitive information from victims and use it for political purposes".

Teo Ehc
Teo Ehc
Be the limited edition.


Please enter your comment!
Please enter your name here


COVID-19: Can it be "reactivated" in treated patients?

According to the Korean Centers for Disease Control and Prevention (KCDC), Coronavirus COVID-19 can be "reactivated" in treated patients. Indicatively, approximately ...

Instructions for the face shields created by Apple

The pandemic of coronavirus has affected all areas of our daily lives and especially our work ....

Windows 10: WSL Linux integration test in File Explorer

Windows 10 improves integration between Windows Subsystem for Linux (WSL) and File Explorer, ...

XHelper malware: reinstalled after resetting to factory settings

The malware XHelper, which affects devices running the Android operating system, was first discovered ...

The Fall of the Zoom: Google forbids its employees to use it

A few weeks ago, Zoom was one of the top teleconferencing solutions. Many people working ...

OTEAcademy: Telecommunication Program for Scientists & Freelancers, affected by COVID-19

OTEAcademy participates in the special telecommunication program - certification for scientists and freelancers affected by COVID-19.

Facebook wanted to buy Pegasus Spyware to track Apple users

According to NSO CEO Shalev Hulio, Facebook tried to buy ...

7 apps to watch movies online at the same time as your friends

According to the recommendations made by governments and health organizations around the world, ...

Tesla's model uses solar energy to move

The designs for a Tesla Roadster, with an engine that uses solar energy, were recently released on the internet and ...

George Soros is pushing for a postal vote due to COVID-19

George Soros pushes for postal voting due to COVID-19: For the purposes of the vote, George Soros-funded Brennan Center ...