On September 2015, security experts at Kaspersky Lab observed an increase in the activity of the group that targeted IT and Incident Response Team in the Mena (Middle East North Africa) area. The Gaza cybergang appears to be politically motivated and has been active since at least 2012, but it has intensified its activity in the Q2 2015.
Security experts speculate the group composed of Palestinian militant of Hamas, it also targeted organizations in Europe and the United States.
In the recent attacks, dubbed DustySky campaign, Gaza Cybergang targeted government organizations with two strains of malware: a downloader called Downeks and a remote access tool (RAT) named QuasarRAT.
“Palo Alto Networks Traps Advanced Endpoint Protection recently prevented recent attacks that we believe are part of a campaign linked to DustySky. DustySky is a campaign which others have attributed to the Gaza Cybergang group, a group that targets government interests in the region.” states the analysis published by PaloAlto Networks.
Researchers noticed many similarities in the TTPs of a recent campaign and the DustySky attacks that were linked to the Gaza Cybergang.
The experts noticed that the attacks were launched and the malware samples were built on days that coincide with the workweek in the Middle East.
Quasar is a free and open source RAT that was developed starting from the xRAT malware, the researchers believe that the members of the Gaza Cybergang have customized their own version starting from the source code available on GitHub.
Quasar could be used by attackers to gather information of the target, exfiltrate data and gain the complete control over the machine.
While the researchers were analyzing the C&C server used by QuasarRAT discovered it was affected by remote code execution vulnerabilities that could be exploited by a second attacker to take control of the infected machine.
“With further analysis of the Quasar RAT C2 Server, we uncovered vulnerabilities in the server code, which would allow remote code execution. This might allow a second attacker to install code of their choice – for example, their own Quasar RAT – on the original attacker’s server. We refer to this (somewhat ironic) technique as a “Double Edged Sword Attack”. We did not apply this to any live C2 servers – we only tested this with our own servers in our lab.”
“In the lab, we changed our Quasar RAT source code to use the known encryption key, and to send fake victim IP address, City, Country code, Flag, and Username. The Quasar server does not verify the RAT data, and displays this data in the RAT Server GUI when the RAT is executed and connects to the server. We found this could be used to supply compelling “victim data” to convince the attacker to connect to this “victim” via the GUI.”
As for Downeks, experts discovered that attackers used new versions of the malware written in .NET while the earlier samples had been written in native code. The malware is used to deliver other threats on the infected machine and also for reconnaissance activities (i.e. Check the infected system for the presence of security solutions)
The samples analyzed by the experts were used to hit Hebrew-speaking targets.
I suggest you read the report published by PaloAlto Network that is full of details on the reading the report published by PaloAlto Network that is full of details on the DustySky attacks and other information on the Gaza Cybergang.
(Security Affairs – Gaza cybergang, cyber espionage)