Gaza Cybergang threat actor it is back again, this time it is targeting organizations in the Middle East and North Africa (MENA) region.
Gaza Cybergang is a threat actor that is believed to be linked to the Palestinian organization Hamas, it is back again targeting organizations in the Middle East and North Africa (MENA) region.
According to the experts from Kaspersky, the hacker crew is not using some new tools and techniques.
The Gaza cybergang, aka “Gaza Hackers Team” and “Molerats,” appears to be politically motivated and has been active since at least since 2012, but it has intensified its activity in the Q2 2015.
Security experts speculate the group composed of Palestinian militant of Hamas, it also targeted organizations in Europe and the United States.
Last time we had their news was early this year when security experts from Palo Alto Networks uncovered a new cyber espionage campaign conducted dubbed DustySky campaign that targeted government organizations with two strains of malware: a downloader called Downeks and a remote access tool (RAT) named QuasarRAT.
Kaspersky has been monitoring the group’s campaigns and reported that a new victim of the hacker group is an oil and gas company in the MENA region. The hackers compromised the system at the security firm and exfiltrated information for more than a year.
The Gaza cybergang added to its arsenal an Android Trojan that was first spotted by Kaspersky in April 2017 on a command and control (C&C) server likely used by the group to target Israeli soldiers.
“While traces of Android mobile malware have been spotted, attackers have continuously used the Downeks downloader and the Quasar or Cobaltstrike RATs to target Windows devices, enabling them to obtain remote access spying and data exfiltration abilities.”
The threat actors leverage on spear phishing messages containing a malicious attachment or link. Researchers reported that in the attacks after March 2017, hackers used specially crafted Office files that delivered malware using macros.
Starting from June 2017, Gaza Cybergang also leveraged an exploit to trigger the CVE 2017-0199 patched by Microsoft in April.
“This is now achieved more efficiently using the CVE 2017-0199 vulnerability which enables direct code execution abilities from a Microsoft office document on non-patched victim Windows systems. The use of Microsoft Access database files has also enabled the attackers to maintain low levels of detection, as it’s not an uncommon method to deliver malware.” added Kaspersky.
“These developments have helped the attackers continue their operations, targeting a variety of victims and organizations, sometimes even bypassing defences and persisting for prolonged periods.”
Experts will continue to monitor Gaza Cybergang, they believe that group will continue to improve its Techniques, Tactics, and Procedures.
“Gaza Cybergang has demonstrated a large number of attacks, advanced social engineering, in addition to the active development of attacks, infrastructure and the utilization of new methods and techniques. Attackers are actively improving their toolkit in an effort to minimize their exposure to security products and services,” concluded Kaspersky. “Kaspersky Lab expects these types of attacks to intensify even more both in quality and quantity in the near term.”
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.