Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Gaza Cybergang Uses QuasarRAT to Target Governments

Researchers at Palo Alto Networks have spotted new attacks they believe have been launched by the cyber espionage group known as Gaza Cybergang, and discovered that one of the servers used by the threat actor is vulnerable to remote attacks.

Researchers at Palo Alto Networks have spotted new attacks they believe have been launched by the cyber espionage group known as Gaza Cybergang, and discovered that one of the servers used by the threat actor is vulnerable to remote attacks.

Gaza Cybergang, also known as Gaza Hackers Team and Molerats, has been active since at least 2012. The actor, which some believe is run by the Palestinian militant group Hamas, has mainly targeted organizations in Middle Eastern countries, but victims have also been observed in Europe and the United States.

Palo Alto Networks recently spotted new attacks aimed at government organizations and determined that they are likely related to a Gaza Cybergang campaign dubbed DustySky.

In the recent attacks analyzed by the security firm, the threat group used two pieces of malware: a downloader called Downeks and a remote access tool (RAT) named QuasarRAT.

Researchers noticed similarities in the code, decoys, targets and the command and control (C&C) infrastructure of the recent campaign and DustySky. They pointed out that the attacks were launched and the malware samples were built on days that coincide with the workweek in the Middle East.

Quasar is a free and open source RAT that has evolved from xRAT. The sample spotted in the Gaza Cybergang attacks appears to be a customized version developed using source code available on GitHub.

Once it infects a system, the malware can steal files, collect system information, download and execute files, open the task manager, kill or start processes, open a remote desktop connection, remotely control the mouse and keyboard, capture passwords, log keystrokes, visit websites, and display a message box.

An analysis of the C&C server used by QuasarRAT revealed the existence of remote code execution vulnerabilities allowing a second attacker to take control of the machine. While they haven’t made tests on the live server, lab simulations conducted by Palo Alto Networks showed that an attacker can change the QuasarRAT code on the server and report fake victim data.

Advertisement. Scroll to continue reading.

Since the server does not check the validity of the data it receives, an attacker can trick the Gaza Cybergang into connecting to a specially crafted “victim” system, which can be used to deliver arbitrary files.

“Quasar is a .NET Framework assembly, loading multiple DLLs upon launch, for example ‘dnsapi.dll’. Quasar server is vulnerable to a simple DLL hijacking attack, by using this technique to replace server DLLs,” Palo Alto Networks researchers explained. “When the attacker restarts the Quasar application, our uploaded ‘dnsapi.dll’ will instead be loaded. Through this vector, we could drop our own Quasar client on the attacker’s server and execute it. Our Quasar RAT will connect to our own (secured, of course) Quasar server, allowing us to control that attacker’s server with his own RAT.”

As for Downeks, experts noticed new versions of the threat written in .NET – unlike the earlier samples which had been written in native code. The new versions, used against Hebrew-speaking targets, provide basic backdoor capabilities.

While Downeks’ primary role is to download other malware, it can also capture screenshots and check the infected system for the presence of security products.

Related: Arabic Threat Group Targets IT, Incident Response Teams

Related: Gaza Threat Group Targeting Israeli Organizations

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...