Security Experts:

Connect with us

Hi, what are you looking for?


Cyber Insurance

Hamas-Linked Hackers Add Insurance and Retail to Target List

MoleRATs, a politically-motivated threat actor apparently linked to the Palestinian terrorist organization Hamas, has expanded its target list to include insurance and retail industries, Palo Alto Networks’ security researchers report.

MoleRATs, a politically-motivated threat actor apparently linked to the Palestinian terrorist organization Hamas, has expanded its target list to include insurance and retail industries, Palo Alto Networks’ security researchers report.

Also referred to as Gaza Hackers Team, Gaza Cybergang, Extreme Jackal, Moonlight, and DustySky, the advanced persistent threat (APT) group has been active since at least 2011, targeting various governmental organizations around the world, as well as telecommunications companies.

Between October 2 and December 9, 2019, the hacking group was observed targeting eight organizations in six different countries. The victims are from the government, telecommunications, insurance and retail industries, with the last two representing atypical targets for the group.

The targets were located in the United Arab Emirates, the United Kingdom, Spain, the United States, Djibouti, and Saudi Arabia.

All attacks used similar email subject and attachment file names, but no specific social engineering themes were employed, which likely diminished the efficiency of the attempts.

Spear-phishing emails were leveraged to deliver malicious documents — mostly Word documents, but also one PDF — which in turn attempted to trick the intended victim into enabling content to run a macro, or force them into clicking a link to download a malicious payload.

The Spark backdoor was used in most of these assaults, allowing the attackers to open applications and run command line commands on the compromised system. The malware has been attributed to the Gaza Cybergang before and appears to have been used by the group since at least 2017.

To avoid detection and impede analysis, the hackers password-protected the delivery documents, ensured that the Spark payload would only run on systems with an Arabic keyboard and locale, and also obfuscated the payloads using the commercial packer Enigma. They also encrypted data in HTTP POST requests and responses to the command and control (C&C) server.

One of the delivery documents observed in these attacks was previously discussed by Cisco Talos’ researchers in relation to the JhoneRAT payload, suggesting that the Gaza Cybergang might be employing this piece of malware as well.

Some of the delivery documents analyzed led to a modular payload that requires a “chain of successful communications with a C2 server for a successful infection,” Palo Alto Networks reveals. This makes post-intrusion analysis difficult, as the researchers aren’t always able to retrieve all components.

“This behavior can assist the adversary in evading automated defenses, as they can deploy their infrastructure at time of attack and avoid having additional artifacts available for further analysis,” the researchers note.

Another document attempted to trick the victim into enabling macros to fetch a base64-encoded executable from Google Drive. This file is a compiled AutoIt script that installs an embedded executable, runs it, and ensures persistence. The executable then fetches a variant of the Spark backdoor.

The PDF document observed in one of the attacks contained a message meant to coerce the recipient into clicking a link that would fetch the malicious payload. A blackmail-like approach is employed: victim is told the attacker has compromising pictures of the recipient and that they intend to release them to the media.

The security researchers were able to identify code connections between the delivery documents, which then led them to the discovery of additional documents and of the domain infrastructure employed by the attackers.

Spark, the backdoor employed in these attacks, appears to have been used by the Gaza Cybergang in the Operation Parliament campaign that was detailed in early 2018. Palo Alto Networks gathered dozens of samples, with creation dates ranging from March 2017 to January 2020 and identified two versions of the malware: 2.2, created three years ago, and 4.2, created in late December 2019 and January 2020.

Spark was used in campaigns in January 2019 and January 2020, and a comparison between the attacks revealed a change in payload delivery method, but also an evolution of the backdoor itself, suggesting that the threat group is continually developing the malware using freely available libraries.

Related: New Backdoor Attacks Leverage Political Turmoil in Middle East

Related: New Attacks on Palestine Linked to ‘Gaza Cybergang’

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.