Security Experts:

Connect with us

Hi, what are you looking for?



Gaza Cybergang Uses QuasarRAT to Target Governments

Researchers at Palo Alto Networks have spotted new attacks they believe have been launched by the cyber espionage group known as Gaza Cybergang, and discovered that one of the servers used by the threat actor is vulnerable to remote attacks.

Researchers at Palo Alto Networks have spotted new attacks they believe have been launched by the cyber espionage group known as Gaza Cybergang, and discovered that one of the servers used by the threat actor is vulnerable to remote attacks.

Gaza Cybergang, also known as Gaza Hackers Team and Molerats, has been active since at least 2012. The actor, which some believe is run by the Palestinian militant group Hamas, has mainly targeted organizations in Middle Eastern countries, but victims have also been observed in Europe and the United States.

Palo Alto Networks recently spotted new attacks aimed at government organizations and determined that they are likely related to a Gaza Cybergang campaign dubbed DustySky.

In the recent attacks analyzed by the security firm, the threat group used two pieces of malware: a downloader called Downeks and a remote access tool (RAT) named QuasarRAT.

Researchers noticed similarities in the code, decoys, targets and the command and control (C&C) infrastructure of the recent campaign and DustySky. They pointed out that the attacks were launched and the malware samples were built on days that coincide with the workweek in the Middle East.

Quasar is a free and open source RAT that has evolved from xRAT. The sample spotted in the Gaza Cybergang attacks appears to be a customized version developed using source code available on GitHub.

Once it infects a system, the malware can steal files, collect system information, download and execute files, open the task manager, kill or start processes, open a remote desktop connection, remotely control the mouse and keyboard, capture passwords, log keystrokes, visit websites, and display a message box.

An analysis of the C&C server used by QuasarRAT revealed the existence of remote code execution vulnerabilities allowing a second attacker to take control of the machine. While they haven’t made tests on the live server, lab simulations conducted by Palo Alto Networks showed that an attacker can change the QuasarRAT code on the server and report fake victim data.

Since the server does not check the validity of the data it receives, an attacker can trick the Gaza Cybergang into connecting to a specially crafted “victim” system, which can be used to deliver arbitrary files.

“Quasar is a .NET Framework assembly, loading multiple DLLs upon launch, for example ‘dnsapi.dll’. Quasar server is vulnerable to a simple DLL hijacking attack, by using this technique to replace server DLLs,” Palo Alto Networks researchers explained. “When the attacker restarts the Quasar application, our uploaded ‘dnsapi.dll’ will instead be loaded. Through this vector, we could drop our own Quasar client on the attacker’s server and execute it. Our Quasar RAT will connect to our own (secured, of course) Quasar server, allowing us to control that attacker’s server with his own RAT.”

As for Downeks, experts noticed new versions of the threat written in .NET – unlike the earlier samples which had been written in native code. The new versions, used against Hebrew-speaking targets, provide basic backdoor capabilities.

While Downeks’ primary role is to download other malware, it can also capture screenshots and check the infected system for the presence of security products.

Related: Arabic Threat Group Targets IT, Incident Response Teams

Related: Gaza Threat Group Targeting Israeli Organizations

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.