Hamas-Linked Threat Actor’s Infrastructure Disrupted

A large portion of the infrastructure related to a Middle Eastern threat actor known as Gaza Cybergang was taken down after their latest operations were uncovered, Kaspersky Lab’s security researchers reveal.

Also known as the Gaza Hackers Team and Molerats and mainly targeting the MENA (Middle East North Africa) region, especially the Palestinian Territories, the actor is likely linked to the Palestinian terrorist organization Hamas and has been connected to numerous attacks in the past several years.

Kaspersky Lab now explains that three different groups operate under the Gaza Cybergang umbrella, and that only Group1 can be referred to as Molerats. The two other groups have been described before under the names of Desert Falcons and Operation Parliament.

The groups are differentiated by level of sophistication and style and, in some cases, techniques. However, they deploy common tools and commands after initial infection and were observed sharing victims.

The Gaza Cybergang Group1 is the least sophisticated of the three and makes heavy use of paste sites to gradually deploy a remote access Trojan (RAT) onto victim systems. Called SneakyPastes, their operation employs phishing and chained stages to evade detection and extend command and control (C&C) server lifetime.

The group has limited infrastructure, relies on open-source tools, and launches widespread attacks, but mainly focuses on Palestinian political problems. SneakyPastes targets embassies, government entities, educational institutions, media outlets, journalists, activists, political parties or personnel, healthcare organizations, and banks, the security researchers say.

During their investigation into the campaign, the researchers were able to uncover the group’s cyber kill chain, including TTPs, infrastructure, action on objectives, and victims. Working with law enforcement agencies, they also took down a large portion of the related infrastructure.

The group used disposable emails and domains for phishing, and delivered several implants that leverage PowerShell, VBS, JavaScript, and .NET for resilience and persistence. The final stage includes support for directory listing, screenshots, file compression, encryption, uploads, and more.

The attackers sent phishing emails with political themes to a large number of victims, but deployed their tools in specific cases only. The emails either contained the first stage as attachment or a link to it. The malware downloads additional files to achieve persistence and exfiltrate data from the victim machine.

The final stage of the attack is the Razy RAT (aka NeD worm and Wonder Botnet), which was designed to search for specific file extensions such as PDF, DOC, DOCX, XLS, and XLSX, and send them to the C&C server.

The RAT supports a broad range of commands to exfiltrate data, create and delete files, restart its process, take screenshots, shut down or reboot the system, list active processes and installed software, and kill system processes.

In 2018, the group relied on a single C&C server, but rotated multiple domain names. They also hosted the different attack stages on free sites such as Mailimg, Github, Pastebin, dev-point.co, a.pomf.cat, and upload.cat, and leveraged disposable email providers such as bit-degree.com, mail4gmail.com, careless-whisper.com and others.

As part of the campaign, the hackers hit over 240 unique victims across 39 countries. Most of these, however, are located in the Palestinian Territories (110), followed by Jordan (25), Israel (17), Lebanon (11), and Saudi Arabia and Syria (9 each).

“Gaza Cybergang is evolving and adapting to the MENA region – a complex setting with complex requirements. The attacks are now divided into three groups with different levels of sophistication and different levels of targeting. We expect the damage caused by these groups to intensify and the attacks to extend into other regions that are also linked to the complicated Palestinian situation,” Kaspersky concludes.

Related: New Attacks on Palestine Linked to ‘Gaza Cybergang’

Related: ‘Operation Parliament’ Imitates Another Actor to Stay Undetected