Users in Middle East Targeted in “Moonlight” Espionage Campaign

A threat group believed to be located in Palestine has been targeting users in Palestine and other Middle Eastern countries in a series of unsophisticated attacks whose main goal appears to be espionage.

Researchers at Vectra Networks have been monitoring the group for the past two years and determined that its operations focus on Middle Eastern political issues. The threat actor has been dubbed “Moonlight” based on the name of a command and control (C&C) domain used in the attacks.

According to Vectra, Moonlight’s tools and targets are similar to the ones of a group known as Gaza Hackers Team, Gaza Cybergang and Molerats, but experts have not found a clear connection between these actors. The Palestinian terrorist organization Hamas is believed to be behind Gaza Hackers Team.

Sinkholes deployed by Vectra showed that most Moonlight victims were located in Palestine, including individuals and a news organization, but infections were also spotted in Egypt, the United States, Jordan, Libya, Iran, Israel and China. However, researchers believe the U.S. and China are not actual targets – these infections are more likely part of security analysis efforts or they are foreign students with ties to one of the targeted countries.

Moonlight has not relied on exploits in its operations. Instead, the attackers have been using social engineering and URL shortening services to trick targets into downloading and executing malware.

The cyberspies have been impersonating news organizations, and delivering malware disguised as documents and videos that are likely to attract the attention of victims.

The first stage backdoor delivered by Moonlight is an obfuscated version of H-Worm, also known as Houdini, a threat believed to have been developed by an individual based in Algeria who has connections to the author of njw0rm and njRAT. Palo Alto Networks has also published an analysis of a new version of H-Worm this week, but the company has not provided any details on the attacks it has been used in.

The malware is typically installed using basic scripts within self-extracting RAR archives, but Moonlight developed over 200 variations in an effort to evade detection. What makes this group interesting is the fact that the samples have been produced manually, not using specialized build tools like other, more sophisticated actors.

Once H-Worm has infected a system, it allows the attackers to install other pieces of malware, such as njRAT.

The Moonlight attacks rely on a simple C&C infrastructure with dynamic domains controlled through home Internet connections in Gaza, Palestine.

“In general, the assigned IP-location of command and control servers is a poor indication of attacker locations,” Vectra researchers noted. “However, in this case the provided locations of home networks in the Gaza strip are likely to be accurate and fits with other details from the attacks.”

Experts believe they have identified some of the individuals involved with the group, but their identities have not been disclosed due to them being in a conflict zone. According to the security firm, these individuals exhibited poor operational security, particularly in their earlier attacks, which seemed opportunistic rather than targeted.

Related: Arabic Threat Group Targets IT, Incident Response Teams

Related: Gaza Threat Group Targeting Israeli Organizations