A cyber threat group affiliated with Hamas has been conducting espionage across the Middle East.
“Wirte”
— tracked by Palo Alto’s Unit 42 as “Ashen Lepus” — has been spying on
regional government bodies and diplomatic entities since 2018. Lately,
it’s been expanding its interests into countries less directly
associated with the Israel-Palestine conflict, like Oman and Morocco.
And to match its broadening scope, Wirte has invented a new malware suite with a variety of features useful for evading cybersecurity programs.
“When
the group first started they used very simple tools — it didn’t seem
like the people behind the group had a lot of technical know-how,” say
Unit 42 researchers, who requested anonymity for this article. “However,
over the years we’ve seen this group evolve their tools and techniques;
we’re now observing an evolution and enhancement in their
capabilities.”
Hamas’s New Malware & TTPs
The Wirte playbook is in most ways textbook cyber espionage. Victims receive phishing emails with PDFs relating to the Israel-Palestine conflict.
When they follow a link in the PDF, they reach a file-sharing service
with a RAR archive waiting. Should they continue, they’ll trigger a
dynamic link library (DLL) sideloading attack
in the background of their machine. They’ll then see the document they
were after, while Wirte’s infection chain quietly commences. Eventually,
the hackers will perform hands-on-keyboard activity to steal documents
of diplomatic and political significance.
Oddly,
Unit 42 found that early Wirte campaigns didn’t actually deliver full
and complete payloads. They concluded that “previous campaigns observed
in the wild were a testing phase in the development of the attack
chain,” which has only now come into its own with the introduction of a
fully formed malware suite called “AshTag.”
AshTag
consists of a loader, a stager, and a backdoor that can install a
variety of add-on modules, in that order. Like any good espionage suite,
these components were designed with stealth in mind.
For
example, when it’s time for the loader to pull the stager from Wirte’s
command-and-control (C2) infrastructure, it doesn’t just find that
payload sitting idly on a web page. Instead, it’s embedded within the
page, sandwiched between HTML header tags, and the loader parses the
outwardly benign HTML to extract it.
The
backdoor takes this trick one step further: the modules it downloads
can only be found by reading commented-out tags within the malicious
domain’s HTML — spots where most detection programs don’t look. Wirte
also diligently encrypts its payloads, and when published research
reveals its current methods, it switches them up.
Wirte’s Place in the Palestine Conflict
Wirte stands out from other Hamas-affiliated advanced persistent threats (APTs) for at least a couple of reasons.
Most notably, it has defied all Israeli war efforts in Gaza. Most Hamas-affiliated groups went silent
during the war. But even as the Israeli Defense Force (IDF) took
sledgehammers to the Gaza strip, systematically throttled its
electricity, and even bombed Hamas-affiliated hackers, Wirte appears to have continued unabated.
Though
they aren’t certain, Unit 42 researchers say “the group’s continuous
activity throughout the conflict indeed suggests that they may be
operating from outside Gaza. It could be that they’re operating from the
West Bank or from other countries.”
That
Wirte appears a step removed from the thick of the Gaza conflict might
also help explain why, compared to other Hamas affiliates, it freely
targets more diverse Middle Eastern governments. More often than not,
it’s still focused on targets most closely associated with the
Israel-Palestine conflict, like Egypt, Jordan, and the Palestinian
Authority itself, which is based opposite of Hamas in the West Bank. But
Wirte seems to be bucking that trend nowadays.
Wirte’s
latest activity is still intrinsically tied to Palestinian affairs. Its
social engineering bait makes frequent references to Hamas itself, and
the ways in which regional governments like Turkey are engaged in the
conflict. But the researchers report that “we have observed scores of
unique lures deployed across the Middle East, indicating a persistent
and wide-reaching campaign.”
Here,
“wide-reaching” can be understood both in the literal and figurative
sense. Oman and Turkey are as geographically distant as one can get from
Israel, in two directions, while still being considered Middle Eastern
(and Rabat is closer to Oslo than to Jerusalem). And while Turkey’s
president has involved himself in the Palestinian conflict in recent
years, the other two nations have kept some distance.
“The
expansion of Ashen Lepus’s victimology beyond their traditional
geographic targets, coupled with new lure themes, suggests a broadening
of its operational scope,” Unit 42 wrote in its report. “Organizations
in the Middle East, particularly in the governmental and diplomatic
sectors, should remain vigilant against this evolving threat.”
Reference:https://www.darkreading.com/