Gaza Cybergang is a threat actor that is believed to be linked to the Palestinian organization Hamas, it is back again targeting organizations in the Middle East and North Africa (MENA) region.
According to the experts from Kaspersky, the hacker crew is not using some new tools and techniques.
The Gaza cybergang, aka “Gaza Hackers Team” and “Molerats,” appears to be politically motivated and has been active since at least since 2012, but it has intensified its activity in the Q2 2015.
Security experts speculate the group composed of Palestinian militant of Hamas, it also targeted organizations in Europe and the United States.
Last time we had their news was early this year when security experts from Palo Alto Networks uncovered a new cyber espionage campaign conducted dubbed DustySky campaign that targeted government organizations with two strains of malware: a downloader called Downeks and a remote access tool (RAT) named QuasarRAT.
Kaspersky has been monitoring the group’s campaigns and reported that a new victim of the hacker group is an oil and gas company in the MENA region. The hackers compromised the system at the security firm and exfiltrated information for more than a year.
The Gaza cybergang added to its arsenal an Android Trojan that was first spotted by Kaspersky in April 2017 on a command and control (C&C) server likely used by the group to target Israeli soldiers.
“In mid-2017, the attackers were discovered inside an oil and gas organization in the MENA region, infiltrating systems and pilfering data, apparently for more than a year. The malware files that were found had been reported previously: https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/” reads the analysis published by Kaspersky.
“While traces of Android mobile malware have been spotted, attackers have continuously used the Downeks downloader and the Quasar or Cobaltstrike RATs to target Windows devices, enabling them to obtain remote access spying and data exfiltration abilities.”
The threat actors leverage on spear phishing messages containing a malicious attachment or link. Researchers reported that in the attacks after March 2017, hackers used specially crafted Office files that delivered malware using macros.
Starting from June 2017, Gaza Cybergang also leveraged an exploit to trigger the CVE 2017-0199 patched by Microsoft in April.
“This is now achieved more efficiently using the CVE 2017-0199 vulnerability which enables direct code execution abilities from a Microsoft office document on non-patched victim Windows systems. The use of Microsoft Access database files has also enabled the attackers to maintain low levels of detection, as it’s not an uncommon method to deliver malware.” added Kaspersky.
“These developments have helped the attackers continue their operations, targeting a variety of victims and organizations, sometimes even bypassing defences and persisting for prolonged periods.”
Experts will continue to monitor Gaza Cybergang, they believe that group will continue to improve its Techniques, Tactics, and Procedures.
“Gaza Cybergang has demonstrated a large number of attacks, advanced social engineering, in addition to the active development of attacks, infrastructure and the utilization of new methods and techniques. Attackers are actively improving their toolkit in an effort to minimize their exposure to security products and services,” concluded Kaspersky. “Kaspersky Lab expects these types of attacks to intensify even more both in quality and quantity in the near term.”
(Security Affairs – Gaza cybergang, cyber espionage)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.