WIRTE APT group targets the Middle East since at least 2019

A threat actor named WIRTE targets government, diplomatic entities, military organizations, law firms, and financial institutions in Middle East.

Cybersecurity researchers from Kaspersky have detailed the activity of a threat actor named WIRTE that is targeting government, diplomatic entities, military organizations, law firms, and financial institutions in Middle East since early 2019.

The activity of the WIRTE group has been documented by cybersecurity researchers at Lab52 in2019, the group is a politically motivated threat actor linked to the Gaza Cybergang. Other victims targeted by the group are in Armenia, Cyprus, Egypt, Jordan, Lebanon, Palestine, Syria, and Turkey.

The group launched spear-phishing campaigns using weaponized Microsoft Office documents to deploy VBS/VBA implants. The weaponized Excel documents acted as droppers that use hidden spreadsheets and VBA macros to deliver a first stage implant, which is a Visual Basic Script (VBS). The VBS implant is a script that collects system information and executes arbitrary code on the infected machine.

The first stage implant also downloads and installs a next-stage dropper named Ferocious that leverages a living-off-the-land (LotL) technique called COM hijacking to achieve persistence and and execute another PowerShell script dubbed LitePower Stager

The LitePower stager is a small PowerShell implant that acts as a downloader and secondary stager used to execute commands sent by the C2, it also allow to download and deploy further malware. The experts were able to locate C2 servers in Ukraine and Estonia.

“In our initial sample analysis, the C2 domain we observed was stgeorgebankers[.]com. After conducting pivots through malware samples, we were able to identify multiple C2 domains that date back to at least December 2019.” continues the analysis.”These C2 domains were occasionally behind CloudFlare to obscure the real C2 IP address. Thanks to collaboration with our partners, we were able to gather some of the original C2 IP addresses, which allowed us to discover that the servers are hosted in Ukraine and Estonia.”

WIRTE operators remain under the radar for a long period of time, the attacks against law firms and financial institutions represent an important switch for a group that is politically motivated.

“WIRTE modified their toolset and how they operate to remain stealthy for a longer period of time. Living-off-the-land (LotL) techniques are an interesting new addition to their TTPs. This suspected subgroup of Gaza Cybergang used simple yet effective methods to compromise its victims with better OpSec than its suspected counterparts. Using interpreted language malware such as VBS and PowerShell scripts, unlike the other Gaza Cybergang subgroups, adds flexibility to update their toolset and avoid static detection controls.” continues the report. “Whether WIRTE is a new subgroup or an evolution of existing Gaza Cybergang subgroups, we see them expanding their presence further in cyberspace by using updated and stealthier TTPs.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, IKEA)

[adrotate banner=”5″]

[adrotate banner=”13″]