Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

New Backdoor Attacks Leverage Political Turmoil in Middle East

Two apparently politically motivated backdoor campaigns have been observed operating in the Middle East, targeting influential Palestinians. The aggressors are most likely the MoleRATs APT (aka The Gaza Cybergang, Extreme Jackal, Moonlight, and DustySky). MoleRATs operates out of Gaza and is believed to be associated with Hamas.

Two apparently politically motivated backdoor campaigns have been observed operating in the Middle East, targeting influential Palestinians. The aggressors are most likely the MoleRATs APT (aka The Gaza Cybergang, Extreme Jackal, Moonlight, and DustySky). MoleRATs operates out of Gaza and is believed to be associated with Hamas.

The two campaigns are primarily differentiated by the backdoor malware used: Spark and Pierogi — and have been named as the Spark Campaign and the Pierogi Campaign respectively by researchers at Cybereason’s Nocturnus group. Spark is the older of the two malwares, and has been known since January 2019. Nocturnus believes it was developed by MoleRATs themselves. Pierogi is a new undocumented RAT, discovered by Cybereason in December 2019.

Pierogi is thought to have been developed by Ukrainians rather than MoleRATs themselves. There are numerous Ukrainian words within the code, including, for example, C2 commands. These include ‘ekspertyza’ (‘examine’, for requesting commands from the C2), ‘zavantazhyty’ (‘download’, for exfiltration), and ‘vydaly’ (‘delete’, for deleting certain requests). The Ukrainian connection is the reason for the Pierogi (a popular East European dish) name.

Both campaigns use email social engineering as the initial attack vector. Spark delivers a weaponized document or a malicious link. The lure is political, including themes based on the Hamas/Fatah conflict, the Israel/Palestine conflict, tensions based on the killing of Qasem Soleimani, and tensions between Hamas and the Egyptian government.

In this campaign, the lures lead to one of two file sharing websites: Egnyte or Dropbox. The target is encouraged to download an archive file containing an executable file masquerading as a Word document. In one example, the lure is a PDF file purporting to be a special report allegedly quoted from the Egyptian newspaper Al-Ahram. The target is encouraged to click a link to access the entire article. The link connects to Egnyte, which contains a file purporting to be the full article. The file has the same name as the PDF file, but is really a Windows executable file with a fake Word icon. If the document is double clicked, the executable unpacks and installs the Spark backdoor in background, while a decoy document is displayed to the user.

Also included is a compiled Autoit script. It drops two copies of Spark in different locations, and creates a scheduled task for persistence. Spark can collect, encrypt and exfiltrate information about the machine. It can download additional payloads and can execute commands. It maintains low visibility by being packed by the Enigma packer, checking for certain anti-virus and other security products using WMI queries, and validating an Arabic keyboard with Arabic language settings on the infected machine. If any of the anti-virus products are detected, or the keyboard is not Arabic, the payload does not execute.

The Spark Campaign, concludes Cybereason, suggests the social engineering element is “specifically meant to lure and appeal to victims from the Middle East, especially towards individuals and entities in the Palestinian territories likely related to the Palestinian government or the Fatah movement.”

The second campaign, Pierogi, is slightly different but also tied to MoleRATs. It is similarly targeted against Palestinian individuals and entities that are likely related to the Palestinian government. The lure is also primarily political, centering on the various political tensions between Hamas and other regional entities. In some cases, the target is encouraged to open an email attachment; in others to download a political report. The downloaded file is usually an executable masquerading as a Word document, or a weaponized Word document.

If the malicious document is opened, Pierogi is dropped. During this process, to allay suspicion, the victim is presented with a visible document that could contain genuine information — or pure fake news promoting a political agenda. Where an attached weaponized Word document is used, a simple and unobfuscated macro downloads a Base64 encoded payload, decodes it, and runs the Pierogi executable. 

Pierogi’s functionality is similar to that of Spark. It collects information about the machine, can take screenshots and upload them to the C2 server, and it can download additional payloads and execute arbitrary commands. It creates persistence through a classic startup item autorun technique. A shortcut is added to the startup folder, which points to the file binary location in the C:ProgramData folder. A GUID generated by the malware is stored in the same folder as GUID.bin.

The infrastructure for the Pierogi campaign seems to have been created specifically for the campaign. The domains were registered in November 2019 and operationalized shortly afterward. “The Pierogi backdoor discovered by Cybereason during this investigation seems to be undocumented and gives the threat actors espionage capabilities over their victims.” Cybereason suggests it may have been obtained through underground communities rather than developed in-house by MoleRATs.

Related: Israel Bombs Hamas Cyber HQ in Response to Cyberattack 

Related: New Attacks on Palestine Linked to ‘Gaza Cybergang’ 

Related: Hamas-Linked ‘Gaza Cybergang’ Has New Tools, Targets 

Related: Users in Middle East Targeted in “Moonlight” Espionage Campaign 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cyberwarfare

While cyber eyes are trained on Russia, we should remember that it is not the West’s only cyber adversary. China, Iran, and North Korea...

Cybercrime

Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...