Cyber warfare

Gaza Cybergang is back, it leverages new tools against new targets

Gaza Cybergang threat actor it is back again, this time it is targeting organizations in the Middle East and North Africa (MENA) region.

Gaza Cybergang is a threat actor that is believed to be linked to the Palestinian organization Hamas, it is back again targeting organizations in the Middle East and North Africa (MENA) region.

According to the experts from Kaspersky, the hacker crew is not using some new tools and techniques.

The Gaza cybergang, aka “Gaza Hackers Team” and “Molerats,” appears to be politically motivated and has been active since at least since 2012, but it has intensified its activity in the Q2 2015.

Security experts speculate the group composed of Palestinian militant of Hamas, it also targeted organizations in Europe and the United States.

Last time we had their news was early this year when security experts from Palo Alto Networks uncovered a new cyber espionage campaign conducted dubbed DustySky campaign that targeted government organizations with two strains of malware: a downloader called Downeks and a remote access tool (RAT) named QuasarRAT.

Kaspersky has been monitoring the group’s campaigns and reported that a new victim of the hacker group is an oil and gas company in the MENA region. The hackers compromised the system at the security firm and exfiltrated information for more than a year.

The Gaza cybergang added to its arsenal an Android Trojan that was first spotted by Kaspersky in April 2017 on a command and control (C&C) server likely used by the group to target Israeli soldiers.

“In mid-2017, the attackers were discovered inside an oil and gas organization in the MENA region, infiltrating systems and pilfering data, apparently for more than a year. The malware files that were found had been reported previously: https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/” reads the analysis published by Kaspersky.

“While traces of Android mobile malware have been spotted, attackers have continuously used the Downeks downloader and the Quasar or Cobaltstrike RATs to target Windows devices, enabling them to obtain remote access spying and data exfiltration abilities.”

The threat actors leverage on spear phishing messages containing a malicious attachment or link. Researchers reported that in the attacks after March 2017, hackers used specially crafted Office files that delivered malware using macros.

Starting from June 2017, Gaza Cybergang also leveraged an exploit to trigger the CVE 2017-0199 patched by Microsoft in April.

“This is now achieved more efficiently using the CVE 2017-0199 vulnerability which enables direct code execution abilities from a Microsoft office document on non-patched victim Windows systems. The use of Microsoft Access database files has also enabled the attackers to maintain low levels of detection, as it’s not an uncommon method to deliver malware.” added Kaspersky.

“These developments have helped the attackers continue their operations, targeting a variety of victims and organizations, sometimes even bypassing defences and persisting for prolonged periods.”

Experts will continue to monitor Gaza Cybergang, they believe that group will continue to improve its Techniques, Tactics, and Procedures.

“Gaza Cybergang has demonstrated a large number of attacks, advanced social engineering, in addition to the active development of attacks, infrastructure and the utilization of new methods and techniques. Attackers are actively improving their toolkit in an effort to minimize their exposure to security products and services,” concluded Kaspersky. “Kaspersky Lab expects these types of attacks to intensify even more both in quality and quantity in the near term.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Gaza cybergang,  cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

11 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

18 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.