The Gaza Cybergang, an advanced persistent threat (APT) group linked to the Palestinian terrorist organization Hamas, apparently continues to target organizations in the Middle East, researchers at Check Point revealed last week.
The attacks observed by the security firm started with a spear-phishing email carrying a self-extracting archive that stored a Word document and a malicious executable. The emails purported to come from the Palestinian Political and National Guidance Commission and the documents contained copies of media reports from various Palestinian news websites.
While the targeted user is busy looking at the document, a piece of malware is being installed on their system. The malware, an upgraded variant of Micropsia, a tool previously linked to the Gaza Cybergang, is capable of taking screenshots, stealing documents, rebooting the system, obtaining information about the compromised device, and killing itself.
These and other capabilities are provided by more than a dozen modules, each named after characters in the American TV show “The Big Bang Theory” and a popular Turkish TV series called “Resurrection: Ertugrul.” In a related malware sample, the modules are named after various BMW car models (e.g. BMW_x1, BMW_x8).
The main target of this campaign, which Check Point has dubbed “Big Bang,” appears to be the Palestinian Authority, the governing body of the emerging Palestinian autonomous regions of the West Bank and Gaza Strip.
Researchers believe the latest attacks started in March and evidence suggests that they could be the work of the Gaza Cybergang, which has been known to target the Palestinian Authority many times in the past years.
“Although the group behind it seems to be focused on carefully selecting their victims, using a custom-made info-stealer for intelligence gathering operations, due to its very nature it is difficult to assert what the ultimate goal of this campaign is. Indeed, the next stages of the attack may even still be in the works, not yet deployed or only deployed to selected few victims,” Check Point researchers wrote in a blog post.
Also known as Gaza Hackers Team and Molerats, the threat actor has been active since at least 2012. Its targets include Israel, Egypt, Saudi Arabia, the UAE, Iraq, the United States, and some European countries.
The group has occasionally suspended activity after security firms exposed its operations, but it has continued improving tools and techniques and expanding its list of targets.
One of the most recent reports on Gaza Cybergang was published in October 2017 by Kaspersky Lab. The security firm reported at the time that the group had been targeting organizations in the Middle East and North Africa (MENA) region, including an oil and gas company from which the hackers stole information for more than a year.
Cisco Talos also published a report on Gaza Cybergang last year, detailing attacks aimed at Palestinian law enforcement.