research.checkpoint.com
Open in
urlscan Pro
141.193.213.21
Public Scan
URL:
https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/?_thumbnail_id=30812
Submission: On November 14 via api from IN — Scanned from US
Submission: On November 14 via api from IN — Scanned from US
Form analysis 1 forms found in the DOM
POST /2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/?_thumbnail_id=30812#wpcf7-f26727-o1
<form action="/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/?_thumbnail_id=30812#wpcf7-f26727-o1" method="post" class="wpcf7-form demo resetting" aria-label="Contact form" novalidate="novalidate" data-status="resetting">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="26727">
<input type="hidden" name="_wpcf7_version" value="6.0">
<input type="hidden" name="_wpcf7_locale" value="en_US">
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f26727-o1">
<input type="hidden" name="_wpcf7_container_post" value="0">
<input type="hidden" name="_wpcf7_posted_data_hash" value="">
</div>
<div class="contact-form-outer">
<div class="flex-row">
<div class="flex-12">
<div class="col-margin">
<p><label>First Name<span class="wpcf7-form-control-wrap" data-name="your-first-name"><input size="40" maxlength="400" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required form-control" aria-required="true" aria-invalid="false"
value="" type="text" name="your-first-name"></span></label>
</p>
</div>
</div>
<div class="flex-12">
<div class="col-margin">
<p><label>Last Name<span class="wpcf7-form-control-wrap" data-name="your-last-name"><input size="40" maxlength="400" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required form-control" aria-required="true" aria-invalid="false"
value="" type="text" name="your-last-name"></span></label>
</p>
</div>
</div>
<div class="flex-12">
<div class="col-margin">
<p><label>Country<span class="wpcf7-form-control-wrap" data-name="country"><select class="wpcf7-form-control wpcf7-select classform-control" aria-invalid="false" name="country">
<option value="">—Please choose an option—</option>
<option value="China">China</option>
<option value="India">India</option>
<option value="United States">United States</option>
<option value="Indonesia">Indonesia</option>
<option value="Brazil">Brazil</option>
<option value="Pakistan">Pakistan</option>
<option value="Nigeria">Nigeria</option>
<option value="Bangladesh">Bangladesh</option>
<option value="Russia">Russia</option>
<option value="Japan">Japan</option>
<option value="Mexico">Mexico</option>
<option value="Philippines">Philippines</option>
<option value="Vietnam">Vietnam</option>
<option value="Ethiopia">Ethiopia</option>
<option value="Egypt">Egypt</option>
<option value="Germany">Germany</option>
<option value="Iran">Iran</option>
<option value="Turkey">Turkey</option>
<option value="Democratic Republic of the Congo">Democratic Republic of the Congo</option>
<option value="Thailand">Thailand</option>
<option value="France">France</option>
<option value="United Kingdom">United Kingdom</option>
<option value="Italy">Italy</option>
<option value="Burma">Burma</option>
<option value="South Africa">South Africa</option>
<option value="South Korea">South Korea</option>
<option value="Colombia">Colombia</option>
<option value="Spain">Spain</option>
<option value="Ukraine">Ukraine</option>
<option value="Tanzania">Tanzania</option>
<option value="Kenya">Kenya</option>
<option value="Argentina">Argentina</option>
<option value="Algeria">Algeria</option>
<option value="Poland">Poland</option>
<option value="Sudan">Sudan</option>
<option value="Uganda">Uganda</option>
<option value="Canada">Canada</option>
<option value="Iraq">Iraq</option>
<option value="Morocco">Morocco</option>
<option value="Peru">Peru</option>
<option value="Uzbekistan">Uzbekistan</option>
<option value="Saudi Arabia">Saudi Arabia</option>
<option value="Malaysia">Malaysia</option>
<option value="Venezuela">Venezuela</option>
<option value="Nepal">Nepal</option>
<option value="Afghanistan">Afghanistan</option>
<option value="Yemen">Yemen</option>
<option value="North Korea">North Korea</option>
<option value="Ghana">Ghana</option>
<option value="Mozambique">Mozambique</option>
<option value="Taiwan">Taiwan</option>
<option value="Australia">Australia</option>
<option value="Ivory Coast">Ivory Coast</option>
<option value="Syria">Syria</option>
<option value="Madagascar">Madagascar</option>
<option value="Angola">Angola</option>
<option value="Cameroon">Cameroon</option>
<option value="Sri Lanka">Sri Lanka</option>
<option value="Romania">Romania</option>
<option value="Burkina Faso">Burkina Faso</option>
<option value="Niger">Niger</option>
<option value="Kazakhstan">Kazakhstan</option>
<option value="Netherlands">Netherlands</option>
<option value="Chile">Chile</option>
<option value="Malawi">Malawi</option>
<option value="Ecuador">Ecuador</option>
<option value="Guatemala">Guatemala</option>
<option value="Mali">Mali</option>
<option value="Cambodia">Cambodia</option>
<option value="Senegal">Senegal</option>
<option value="Zambia">Zambia</option>
<option value="Zimbabwe">Zimbabwe</option>
<option value="Chad">Chad</option>
<option value="South Sudan">South Sudan</option>
<option value="Belgium">Belgium</option>
<option value="Cuba">Cuba</option>
<option value="Tunisia">Tunisia</option>
<option value="Guinea">Guinea</option>
<option value="Greece">Greece</option>
<option value="Portugal">Portugal</option>
<option value="Rwanda">Rwanda</option>
<option value="Czech Republic">Czech Republic</option>
<option value="Somalia">Somalia</option>
<option value="Haiti">Haiti</option>
<option value="Benin">Benin</option>
<option value="Burundi">Burundi</option>
<option value="Bolivia">Bolivia</option>
<option value="Hungary">Hungary</option>
<option value="Sweden">Sweden</option>
<option value="Belarus">Belarus</option>
<option value="Dominican Republic">Dominican Republic</option>
<option value="Azerbaijan">Azerbaijan</option>
<option value="Honduras">Honduras</option>
<option value="Austria">Austria</option>
<option value="United Arab Emirates">United Arab Emirates</option>
<option value="Israel">Israel</option>
<option value="Switzerland">Switzerland</option>
<option value="Tajikistan">Tajikistan</option>
<option value="Bulgaria">Bulgaria</option>
<option value="Hong Kong (China)">Hong Kong (China)</option>
<option value="Serbia">Serbia</option>
<option value="Papua New Guinea">Papua New Guinea</option>
<option value="Paraguay">Paraguay</option>
<option value="Laos">Laos</option>
<option value="Jordan">Jordan</option>
<option value="El Salvador">El Salvador</option>
<option value="Eritrea">Eritrea</option>
<option value="Libya">Libya</option>
<option value="Togo">Togo</option>
<option value="Sierra Leone">Sierra Leone</option>
<option value="Nicaragua">Nicaragua</option>
<option value="Kyrgyzstan">Kyrgyzstan</option>
<option value="Denmark">Denmark</option>
<option value="Finland">Finland</option>
<option value="Slovakia">Slovakia</option>
<option value="Singapore">Singapore</option>
<option value="Turkmenistan">Turkmenistan</option>
<option value="Norway">Norway</option>
<option value="Lebanon">Lebanon</option>
<option value="Costa Rica">Costa Rica</option>
<option value="Central African Republic">Central African Republic</option>
<option value="Ireland">Ireland</option>
<option value="Georgia">Georgia</option>
<option value="New Zealand">New Zealand</option>
<option value="Republic of the Congo">Republic of the Congo</option>
<option value="Palestine">Palestine</option>
<option value="Liberia">Liberia</option>
<option value="Croatia">Croatia</option>
<option value="Oman">Oman</option>
<option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option>
<option value="Puerto Rico">Puerto Rico</option>
<option value="Kuwait">Kuwait</option>
<option value="Moldov">Moldov</option>
<option value="Mauritania">Mauritania</option>
<option value="Panama">Panama</option>
<option value="Uruguay">Uruguay</option>
<option value="Armenia">Armenia</option>
<option value="Lithuania">Lithuania</option>
<option value="Albania">Albania</option>
<option value="Mongolia">Mongolia</option>
<option value="Jamaica">Jamaica</option>
<option value="Namibia">Namibia</option>
<option value="Lesotho">Lesotho</option>
<option value="Qatar">Qatar</option>
<option value="Macedonia">Macedonia</option>
<option value="Slovenia">Slovenia</option>
<option value="Botswana">Botswana</option>
<option value="Latvia">Latvia</option>
<option value="Gambia">Gambia</option>
<option value="Kosovo">Kosovo</option>
<option value="Guinea-Bissau">Guinea-Bissau</option>
<option value="Gabon">Gabon</option>
<option value="Equatorial Guinea">Equatorial Guinea</option>
<option value="Trinidad and Tobago">Trinidad and Tobago</option>
<option value="Estonia">Estonia</option>
<option value="Mauritius">Mauritius</option>
<option value="Swaziland">Swaziland</option>
<option value="Bahrain">Bahrain</option>
<option value="Timor-Leste">Timor-Leste</option>
<option value="Djibouti">Djibouti</option>
<option value="Cyprus">Cyprus</option>
<option value="Fiji">Fiji</option>
<option value="Reunion (France)">Reunion (France)</option>
<option value="Guyana">Guyana</option>
<option value="Comoros">Comoros</option>
<option value="Bhutan">Bhutan</option>
<option value="Montenegro">Montenegro</option>
<option value="Macau (China)">Macau (China)</option>
<option value="Solomon Islands">Solomon Islands</option>
<option value="Western Sahara">Western Sahara</option>
<option value="Luxembourg">Luxembourg</option>
<option value="Suriname">Suriname</option>
<option value="Cape Verde">Cape Verde</option>
<option value="Malta">Malta</option>
<option value="Guadeloupe (France)">Guadeloupe (France)</option>
<option value="Martinique (France)">Martinique (France)</option>
<option value="Brunei">Brunei</option>
<option value="Bahamas">Bahamas</option>
<option value="Iceland">Iceland</option>
<option value="Maldives">Maldives</option>
<option value="Belize">Belize</option>
<option value="Barbados">Barbados</option>
<option value="French Polynesia (France)">French Polynesia (France)</option>
<option value="Vanuatu">Vanuatu</option>
<option value="New Caledonia (France)">New Caledonia (France)</option>
<option value="French Guiana (France)">French Guiana (France)</option>
<option value="Mayotte (France)">Mayotte (France)</option>
<option value="Samoa">Samoa</option>
<option value="Sao Tom and Principe">Sao Tom and Principe</option>
<option value="Saint Lucia">Saint Lucia</option>
<option value="Guam (USA)">Guam (USA)</option>
<option value="Curacao (Netherlands)">Curacao (Netherlands)</option>
<option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option>
<option value="Kiribati">Kiribati</option>
<option value="United States Virgin Islands (USA)">United States Virgin Islands (USA)</option>
<option value="Grenada">Grenada</option>
<option value="Tonga">Tonga</option>
<option value="Aruba (Netherlands)">Aruba (Netherlands)</option>
<option value="Federated States of Micronesia">Federated States of Micronesia</option>
<option value="Jersey (UK)">Jersey (UK)</option>
<option value="Seychelles">Seychelles</option>
<option value="Antigua and Barbuda">Antigua and Barbuda</option>
<option value="Isle of Man (UK)">Isle of Man (UK)</option>
<option value="Andorra">Andorra</option>
<option value="Dominica">Dominica</option>
<option value="Bermuda (UK)">Bermuda (UK)</option>
<option value="Guernsey (UK)">Guernsey (UK)</option>
<option value="Greenland (Denmark)">Greenland (Denmark)</option>
<option value="Marshall Islands">Marshall Islands</option>
<option value="American Samoa (USA)">American Samoa (USA)</option>
<option value="Cayman Islands (UK)">Cayman Islands (UK)</option>
<option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option>
<option value="Northern Mariana Islands (USA)">Northern Mariana Islands (USA)</option>
<option value="Faroe Islands (Denmark)">Faroe Islands (Denmark)</option>
<option value="Sint Maarten (Netherlands)">Sint Maarten (Netherlands)</option>
<option value="Saint Martin (France)">Saint Martin (France)</option>
<option value="Liechtenstein">Liechtenstein</option>
<option value="Monaco">Monaco</option>
<option value="San Marino">San Marino</option>
<option value="Turks and Caicos Islands (UK)">Turks and Caicos Islands (UK)</option>
<option value="Gibraltar (UK)">Gibraltar (UK)</option>
<option value="British Virgin Islands (UK)">British Virgin Islands (UK)</option>
<option value="Aland Islands (Finland)">Aland Islands (Finland)</option>
<option value="Caribbean Netherlands (Netherlands)">Caribbean Netherlands (Netherlands)</option>
<option value="Palau">Palau</option>
<option value="Cook Islands (NZ)">Cook Islands (NZ)</option>
<option value="Anguilla (UK)">Anguilla (UK)</option>
<option value="Wallis and Futuna (France)">Wallis and Futuna (France)</option>
<option value="Tuvalu">Tuvalu</option>
<option value="Nauru">Nauru</option>
<option value="Saint Barthelemy (France)">Saint Barthelemy (France)</option>
<option value="Saint Pierre and Miquelon (France)">Saint Pierre and Miquelon (France)</option>
<option value="Montserrat (UK)">Montserrat (UK)</option>
<option value="Saint Helena, Ascension and Tristan da Cunha (UK)">Saint Helena, Ascension and Tristan da Cunha (UK)</option>
<option value="Svalbard and Jan Mayen (Norway)">Svalbard and Jan Mayen (Norway)</option>
<option value="Falkland Islands (UK)">Falkland Islands (UK)</option>
<option value="Norfolk Island (Australia)">Norfolk Island (Australia)</option>
<option value="Christmas Island (Australia)">Christmas Island (Australia)</option>
<option value="Niue (NZ)">Niue (NZ)</option>
<option value="Tokelau (NZ)">Tokelau (NZ)</option>
<option value="Vatican City">Vatican City</option>
<option value="Cocos (Keeling) Islands (Australia)">Cocos (Keeling) Islands (Australia)</option>
<option value="Pitcairn Islands (UK)">Pitcairn Islands (UK)</option>
</select></span></label>
</p>
</div>
</div>
<div class="flex-12">
<div class="col-margin">
<p><label>Email<span class="wpcf7-form-control-wrap" data-name="your-email"><input size="40" maxlength="400" class="wpcf7-form-control wpcf7-email wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-email form-control"
aria-required="true" aria-invalid="false" value="" type="email" name="your-email"></span></label>
</p>
</div>
</div>
<div class="flex-12">
<div class="col-margin">
<div class="button-wrap center relative">
<p><input class="wpcf7-form-control wpcf7-submit has-spinner button font-white" type="submit" value="SUBMIT"><span class="wpcf7-spinner"></span>
</p>
</div>
</div>
</div>
</div>
</div>
<div class="wpcf7-response-output" aria-hidden="true"></div>
</form>Text Content
* CONTACT US
* DISCLOSURE POLICY
* CHECKPOINT.COM
* UNDER ATTACK?
* Latest Publications
* CPR Podcast Channel
* Web 3.0 Security
* Intelligence Reports
* Resources
* ThreatCloud AI
* Threat Intelligence & Research
* Zero Day Protection
* Sandblast File Analysis
* About Us
* SUBSCRIBE
SUBSCRIBE
CATEGORIES
* Android Malware 23
* Artificial Intelligence 4
* ChatGPT 3
* Check Point Research Publications 391
* Cloud Security 1
* CPRadio 44
* Crypto 2
* Data & Threat Intelligence 1
* Data Analysis 0
* Demos 22
* Global Cyber Attack Reports 329
* How To Guides 12
* Ransomware 1
* Russo-Ukrainian War 1
* Security Report 1
* Threat and data analysis 0
* Threat Research 172
* Web 3.0 Security 9
* Wipers 0
HAMAS-AFFILIATED THREAT ACTOR WIRTE CONTINUES ITS MIDDLE EAST OPERATIONS AND
MOVES TO DISRUPTIVE ACTIVITY
November 12, 2024
https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/
KEY FINDINGS:
* Check Point Research has been tracking ongoing activity of WIRTE threat
actor, previously associated with the Hamas-affiliated group Gaza Cybergang,
despite the ongoing war in the region.
* The conflict has not disrupted the WIRTE’s activity, and they continue to
leverage recent events in the region in their espionage operations, likely
targeting entities in the Palestinian Authority, Jordan, Iraq, Egypt, and
Saudi Arabia.
* Our research indicates that WIRTE group has expanded beyond espionage to
conduct disruptive attacks. We have identified clear links between the custom
malware used by the group and SameCoin, a wiper malware targeting Israeli
entities in two waves in February and October 2024.
* While WIRTE’s tools have evolved since the group emerged, key aspects of
their operations remain consistent: domain naming conventions, communication
via HTML tags, responses limited to specific user agents, and redirection to
legitimate websites.
INTRODUCTION
WIRTE is a Middle Eastern Advanced Persistent Threat (APT) group active since at
least 2018. The group is primarily known for engaging in politically motivated
cyber-espionage, focusing on intelligence gathering likely linked to regional
geopolitical conflicts. WIRTE is believed to be a subgroup connected to Gaza
Cybergang, a cluster affiliated with Hamas.
Since late 2023, Check Point Research has been monitoring a campaign conducted
by the WIRTE group that targets entities in the Middle East, specifically the
Palestinian Authority, Jordan, Egypt, and Saudi Arabia. This campaign utilizes
custom loaders like IronWind, first disclosed in November 2023 as part of a
TA402 operation.
In addition to espionage, the threat actor recently engaged in at least two
waves of disruptive attacks against Israel. Unique code overlaps reveals ties
between the group’s custom malware and SameCoin, a custom wiper deployed in two
waves in February and October 2024.
Unlike other Hamas- associated threats, such as SysJoker, this cluster’s
activity has persisted throughout the war in Gaza. On one hand, the group’s
ongoing activity strengthens its affiliation with Hamas; on the other hand, it
complicates the geographical attribution of this activity specifically to Gaza.
In this publication, Check Point Research reveals the activities of WIRTE in
2024, provides a technical analysis of its campaigns, and connects the group’s
activities to previous activity of the group.
WIRTE – ESPIONAGE CAMPAIGNS
As tensions continue in the Middle East, multiple threat actors have exploited
the conflict to create deceptive lures in recent months. Among them, one
prominent group is WIRTE, which is believed to have ties to Hamas. WIRTE remains
highly active throughout the war, carrying out attacks across the region. The
group’s activities were first documented in 2019 by Lab52, with
further analysis released in 2021. In 2023, Proofpoint researchers identified a
campaign associated with a threat actor they refer to as TA402. The campaign
utilized IronWind, a loader that enables communication with command and control
(C2) servers and executes malicious code hidden within HTML elements. Since
then, we have observed multiple campaigns leveraging IronWind.
Check Point Research’s analysis suggests that this tool is primarily deployed by
the WIRTE group, which Proofpoint identifies as a subgroup of TA402.
SEPTEMBER 2024 CAMPAIGN – HAVOC DELIVERY
In September, we identified a new infection chain that began with a PDF file
showing an error and containing an embedded URL https://theshortner[.]com/fxT1j,
which mimics a URL shortener service.
Figure 1 – Lure PDF
(SHA-256:b7c5af2d7e1eb7651b1fe3a224121d3461f3473d081990c02ef8ab4ace13f785).
This link redirected users to a RAR archive named RAR 1178 - بيروت - تطورات
الحرب في لبنان2 (translated from Arabic: RAR 1178 - Beirut - Developments of the
War in Lebanon 2). The archive contained three files intended to employ
DLL-Sideloading:
* PinEnrollmentBroker.exe, a legitimate executable that has been renamed to
match the name of the archive.
* A PDF lure.
* propsys.dll, which serves as the first stage of the infection process.
Figure 2 – Havoc Infection Chain.
Figure 3 – Contents of the malicious archive.
Upon executing the legitimate executable file, the propsys.dll is side loaded.
The execution is divided into two threads:
1. The first thread searches for a file named “Document,” appends a PDF
extension to the found file, and then opens it using the command line. All
strings in this process are XOR encrypted with the key 01-01-1900.
2. The second thread reads the long list of embedded IP addresses and decodes
them by calling the RtlIpv4StringToAddressA API, which converts an
IP-formatted string to a byte array and concatenates the decoded bytes to
create the next-stage payload.
Figure 4 – IP addresses that are converted into bytes of the payload.
The next-stage payload delivered by propsys.dll is Havoc Demon, the agent of an
open-source framework configured to communicate with the
domain master-dental[.]com. Havoc is an open-source post-exploitation framework
designed for advanced cyber operations. Havoc allows attackers to maintain
persistent access to compromised systems, facilitating various malicious
activities such as data exfiltration, lateral movement, and remote control.
EARLIER 2024 ACTIVITY – IRONWIND LOADER
Since October 2023, multiple cases observed use the IronWind loader as the
infection vector. The infection chain starts with a RAR archive which includes
three files: a legitimate executable setup_wm.exe renamed to لقاء الممثلون
الوطنيون لرؤساء الأركان للاتفاق على هيكل الأمن الإقليمي.exe (National
Representatives of Chiefs of Staff Meet to Agree on Regional Security
Architecture), a lure PDF and version.dll, which serves as the first stage of
the infection process.
Figure 5 – RAR archive.
The malware execution starts by saving the lure document as a PDF file and
opening it via CMD (Command Prompt). It then sends an HTTP request containing
the victim’s Office version, OS version, computer name, username, and list of
programs to requestinspector.com to inform the attackers about a new victim.
Figure 6 – Translated lure, allegedly written by Egypt Representative in
Ramallah about PA budget
Next, the malware decrypts the next-stage payload, propsys.dll, using Base64
decoding and an XOR operation with the key “53.” The primary function of this
payload (internally named stagerx64) is to send HTTP requests with a hardcoded
user agent to the C2 and scan for the encrypted payload embedded within HTML
tags.
Figure 7 – Basae64 encoded payload embedded between HTML tags.
The only final stage artifact we identified is donut shellcode loading a .NET
DLL named exit-DN4-core.dll. The sole function of this DLL is to terminate the
executing process, likely as a cleanup tactic pushed to infected machines that
the actors chose not to exploit.
Figure 8 – exit-DN4-core.dll.
SAMECOIN AND WIRTE – DISRUPTIVE OPERATIONS
In October 2024, a malicious email campaign was sent from the email address of a
legitimate email of Israeli ESET reseller, targeting multiple Israeli
organizations, including hospitals and municipalities. The email contained a
newly created version of the SameCoin Wiper, which was deployed in attacks
against Israel earlier this year. In addition to minor changes in the malware,
the newer version introduces a unique encryption function that has only been
seen in WIRTE malware.
ESET RESELLER SAMECOIN WIPER
The email alerts on alleged attack, and prompts recipients to click on the link
which directs victims to a ZIP file named ESETUnleashed_081024.zip, which
contains 4 legitimate DLLs and a malicious file Setup.exe.
Figure 9 – Malicious email delivering the wiper
When launched, Setup.exe tries to connect to the Israel Home Front Command
site oref.org.il. It then uses the first bytes of the response as its XOR key.
This website is accessible only from inside Israel; by using the response, the
malware additionally verifies that the target is indeed Israeli.
Figure 10 – Wiper Infection Chains.
The malware then drops and decrypts the next files to be executed:
* image.jpg – A wallpaper.
Figure 11 – Translated wallpaper mentioning Al-Qassam Brigades, the military
wing of Hamas.
* video.mp4 – Hamas propaganda video showing graphic attacks from October 7.
* MicrosoftEdge.exe – A wiper component.
* csrs.exe – An Infector component implementing two functions:
* InfectOutlook: Sends Setup.exe as an attachment to other addresses in the
same organization.
* InfectAD: Copies the wiper file to remote machines within the same Active
Directory and schedules it for execution using a Scheduled Task.
The wiper begins by listing all system files outside specified protected
directories (e.g., Program Files, Windows, and Users). If a file’s name doesn’t
contain “desktop.ini” or “conf.conf,” it is overwritten with random bytes.
The complete analysis of the malware components was published by other
researchers.
CODE OVERLAPS WITH IRONWIND LOADER
The XOR function used in the above wiper component (MicrosoftEdge.exe) is
unique. It can only be found in a newer IronWind loader variant (propsys.dll).
The IronWind variant uses the key msasn1.dll, and the wiper uses the
key Saturday, October 07, 2023, 6:29:00 AM:
Figure 12 – Comparison of the encryption function in the IronWind sample and
MicrosoftEdge.exe wiper.
This function implementation suggests that the same actor developed both tools
and possibly were compiled in the same environment.
INCD SAMECOIN WIPER
This ESET wiper is a newer version of a previously reported Samecoin wiper,
which was deployed on February 24 in a malicious campaign impersonating the
Israeli National Cyber Directorate (INCD). SameCoin is a multi-platform wiper
with Android and Windows versions, and in both cases, it impersonated an INCD
security update.
The Windows variant starts by checking if the system language is configured to
Hebrew, and if so, it drops 4 four additional files:
* Video.mp4 – Pro-Hamas propaganda video.
* Microsoft Connection Agent.jpg – Hamas wallpaper.
* Microsoft System Manager.exe – A Wiper component.
* Windows Defender Agent.exe – A Tasks Spreader: A component that tries to copy
the loader to other machines in the network and executes tasks using remote
schedule tasks.
The Android variant deployed as INCD-SecurityUpdate-FEB24.apk displays the same
propaganda video as the Windows version. The wiper’s functionality lies within
the native library libexampleone.so. It starts by listing the files to be
deleted, filling them with zeros, and then deleting them from the file system.
Figure 13 – Android Wiper main function.
INFRASTRUCTURE
C2 REDIRECTS
Each malware sample we observed is configured with a unique user agent string.
If this specific user agent is detected, the C2 server responds, otherwise, the
C2 redirects the request to a legitimate website. Among the redirection chains
we identified are:
* saudiday[.]org —> saudi.org
* jordansons[.]com —-> jordantimes.com
* egyptican[.]com —> dailynewsegypt.com
* inclusive-economy[.]com —> inclusiveeconomy.us
* healthcarb[.]com —> healthline.com
PHISHING ACTIVITY
Some domains observed in the infrastructure were set up with phishing pages
designed to mimic the Docdroid file-uploading service.
Figure 14 -WIRTE phishing page
These legitimate-looking websites contain specific URLs designed for phishing.
When a victim accesses certain URLs, they are directed to phishing content or
legitimate documents, possibly depending on the victim’s IP address.
Figure 15 –
https://suppertools[.]com/s/?uid=181b9056-7420-4cde-8523-5c609aface73
Figure 16 –
https://healthscratches[.]com/s/?uid=06d32218-178c-49d77-b3cf-59df77c93469.
WIRTE ATTRIBUTION
We assess that WIRTE is likely connected to Hamas, based on the messaging
observed in disruptive attacks, its consistent targeting of the Palestinian
Authority (PA), and historical ties to groups associated with Hamas.
The most recent version of the SameCoin wiper alters the victim’s background to
display an image bearing the name of Hamas’s military wing, the Al-Qassam
Brigades. While this could be a potential false flag operation, we have not
observed similar mentions in wiper attacks linked to other actors, including
prominent Iranian groups.
The group’s victims align strongly with Hamas’s interests, focusing on
Palestinian issues and frequently targeting the Palestinian Authority, Hamas’s
rival in the Palestinian political sphere.
Historically, WIRTE has been associated with the Molerats and the Gaza Cyber
Gang, both of which have previously been connected to Hamas. This association
was first identified by Kaspersky and further supported by reports from
Proofpoint. In earlier WIRTE campaigns, the threat actor employed various tools,
such as VBS and PowerShell scripts, while the signature techniques remained the
same in the attacks discussed in this report:
* The C2 server responds only to specific user agents unique to each sample;
otherwise, it redirects to a legitimate site.
* Retrieval of next-stage payloads embedded within HTML tags.
* Utilization of CloudFlare services.
* A consistent domain-naming theme focused on health, finance and countries in
the region.
VICTIMOLOGY
The threat actor focused on various entities across the Middle East, mainly
targeting the Palestinian Authority and Jordan, based on volumes of samples from
those countries and the lures content Additional activity Indicators, including
file submissions, lures, and domain references, also suggest likely targeting
related to, Iraq, Saudi Arabia, and Egypt.
Samples in this campaign were uploaded from several major cities in the Middle
East, including Ramallah, Baghdad, and Amman, with the following names:
Original Sample NameSample Name Translationلقاء الممثلون الوطنيون لرؤساء الأركان
للاتفاق على هيكل الأمن الإقليميNational Representatives of Chiefs of Staff Meet
to Agree on Regional Security Architectureتقرير عن الوضع المالي للسلطة
الفلسطينيةReport on the financial situation of the Palestinian Authority12 سري –
موافقة الاردن عل اجراء حوار امني مع ايران12 Secret – Jordan agrees to hold
security dialogue with Iran1178 – بيروت – تطورات الحرب في لبنان21178 – Beirut –
Developments of the war in Lebanon 2
Additionally, the majority of the phishing URLs were initially submitted to
Virus Total from Jordan.
Figure 17 – Phishing Urls submissions
Some of the domains associated with this operation referenced specific
countries, which likely hints targeting of those :
* saudiarabianow[.]org
* saudiday[.]org
* jordanrefugees[.]com
* bankjordan[.]com
* jordansons[.]com
* egyptican[.]com
* egyptskytours[.]com
* egypttourism-online[.]com
On the disruptive side, the group solely focuses on Israel. The Wiper activity
utilized propaganda content and themes aimed explicitly at Israeli audiences,
with phishing emails targeting Israeli recipients. Additionally, the Wiper
activates only if the target country is Israel or the system language is set to
Hebrew.
The distinct techniques and payloads deployed against Israel differ from those
employed in other Middle Eastern countries, indicating a dual purpose: to cause
disruption in Israel and to conduct espionage in other Middle Eastern nations.
CONCLUSION
We revealed the activities and tools deployed by the longstanding WIRTE APT
group over the past year. Despite ongoing conflict in the Middle East, the group
has persisted with multiple campaigns, showcasing a versatile toolkit that
includes Wipers, Backdoors, and Phishing pages used for both espionage and
sabotage.
Our investigation also highlights WIRTE’s continued reliance on tactics such as
user agent filtering, payload building with HTML tags, redirection to news
sites, and a consistent infrastructure style.
Despite previous analyses lacking definitive conclusions, our evaluation
suggests that WIRTE is likely aligned with Hamas. This assessment is drawn from
a close examination of WIRTE’s operational history, which reveals patterns that
resonate with Hamas’s activities. Additionally, WIRTE’s selection of targets,
coupled with the nature of the content it distributes, further reinforces the
connection between the conclusion.
PROTECTIONS:
Threat Emulation:
* APT.Wins.Wirte.ta.A/B/C/D/E/F
Harmony End Point:
* ransom.win.honey
* infoastealer.win.blackguard.d
IOCS
PE files:
2700142c0b78fdbf3df30125a72443e2317d5079a01ff26022a66d0b7bd4c5b1
3fc92e8a440ca16172f7d93bd9de3c6f9391e26d3a1cb964e966ee1ee31770df
5d773e734290b93649a41ccda63772560b4fa25ba715b17df7b9f18883679160
5fa809c0e5dff03bd202b86cd334e80c7ed5dbad9aed7b12a3799ea0800e5f31
0a4397f7d5da024b10c778910d6db84a6ba0fc3375fe6fe9b470f7e269ddc716
26cb6055be1ee503f87d040c84c0a7cacb245b4182445e3eee47ed6e073eca47
75c2fb3ae08502a57c8c96ea788ef946a8bb35fb4a16e76deefae4c94fd03fd7
86791aa96bac086330bf927ea5c2725ff73aaedfadc2571f4f393aa4d3a6b690
8ce87eefded0713c9258f8f2086dcc51028fb404ceb526f832df4c93108c8146
8818c7c2cbd60521b8eb59ff9a720840535651343b30c1b279515d42d8036a8a
7e0d0f77fe1dcb1e7a0a0a2fc0c25a68eee551c7045935449ae64dcbd1310958
795b997c248b2f344f813cd0c15d3d435e6218c91d0f0f54a464d739feead4c5
9fc4c7cdcaa3c3c03ba65f138386e875d02f7fcaf10de720dfde20167e393f38
7c0a8d3dec1675fd8ba0a73fb5b8eee3bef0214aa78a7aab73b8ba9814651f9f
b447ba4370d9becef9ad084e7cdf8e1395bafde1d15e82e23ca1b9808fef13a7
9b2a16cbe5af12b486d31b68ef397d6bc48b2736e6b388ad8895b588f1831f47
c51952f2caf55b455e7c7eb8048422bb477e3a616cb68f6fa524e15892b9f328
d3a53be1f64325c566bb71222b3747da81439dea8fc9a458fb459355cfa9e7f2
ac227dd5c97a36f54e4fa02df4e4c0339b513e4f8049616e2a815a108e34552f
c068b9e7130f6fb5763beb9564e92a89644755f223b2f65dc762ed5c77c5b8e3
c22f0544e29c803d2cacbca3a57617496e3691389e9b65da84c374c90e699433
76a543a49e46ad9163b2a06f6cea7a5e8eb5183cd3213e64446a8c66310fac3a
e2ba2d3d2c1f0b5143d1cd291f6a09abe1c53e570800d8ae43622426c1c4343c
02902a5e07a80aa56c24c6a8d4cca9fcfb32f32bb074f9c449cad5b3b18a070c
e6d2f43622e3ecdce80939eec9fffb47e6eb7fc0b9aa036e9e4e07d7360f2b89
3b4ee3d5c1a7202b053159becac4d0b622641e2e4a7b27f339c03a90f287d381
f2de8a5daed043ef3ab1f52156a4f7ff8f9a382f7f58ace6abb463f5cbab060c
fca0b3e57b3f9a14d18c435e564fe6db3620ba446e1b863737a9b36cbcc7251a
eddd40d457088d8384784ce80eaf0aefb1485776e0916e60781befbd739d4608
6ab5a0b7080e783bba9b3ec53889e82ca4f2d304e67bd139aa267c22c281a368
2abff990d33d99a0732ddbb3a39831c2c292f36955381d45cd8d40a816d9b47a
Archives:
9fe7b2f4c17dd0c7a00aaa6a779c30e2cb3faa4b14766e02f616d00e6f6e9007
3d2409c7834287178f61116c9b653e3520172a10ebef58f58f99d27a34b839bd
5b7e8e685f6ee6b4810ed94b4420e08a10a977516b47fea356173cfaec2c41a0
41112f36fc17f57f0e476c9ffa9e1ecbff796dc31a7ff0372d0d8708a5e9c50b
2d55c68aa7781db7f2324427508947f057a6baca78073fee9a5ad254147c8232
PDF:
b7c5af2d7e1eb7651b1fe3a224121d3461f3473d081990c02ef8ab4ace13f785
Infrastructure:
DomainBackend Server
IPsaudiday[.]org185.158.248[.]161jordansons[.]com193.168.141[.]29egyptican[.]com140.99.164[.]56healthcarb[.]com160.119.251[.]181inclusive-economy[.]com188.92.78[.]148king-pharmacy[.]com185.165.169[.]76microsoftwindowshelp[.]com45.134.9[.]202economystocking[.]com37.120.247[.]22wellhealthtech[.]com195.123.210[.]42microsoftliveforums[.]com140.99.164[.]86master-dental[.]com213.252.244[.]234dentalaccord[.]com5.42.221[.]151economymentor[.]com37.221.65[.]254bankjordan[.]com80.77.25[.]49egyptskytours[.]com193.168.141[.]61microsoftteams365[.]com185.247.224[.]28finance-analyst[.]com185.158.248[.]201trendingcharts.finance-analyst[.]comfinances-news[.]com185.165.169[.]117pushservice_api.finances-news[.]comsupport-api.financecovers[.]com45.59.118[.]145jordanrefugees[.]com37.120.247[.]100egypttourism-online[.]com185.225.70[.]168healthoptionstoday[.]com80.77.25[.]216ellemedic[.]com38.180.151[.]206easybackupcloud[.]comfinanceinfoguide[.]comhealthscratches[.]comprintspoolerupdates[.]comsaudiarabianow[.]orgsuppertools[.]comtheshortner[.]com
GO UP
BACK TO ALL POSTS
POPULAR POSTS
* Artificial Intelligence
* ChatGPT
* Check Point Research Publications
OPWNAI : Cybercriminals Starting to Use ChatGPT
* Check Point Research Publications
* Threat Research
Hacking Fortnite Accounts
* Artificial Intelligence
* ChatGPT
* Check Point Research Publications
OpwnAI: AI That Can Save the Day or HACK it Away
BLOGS AND PUBLICATIONS
* Check Point Research Publications
August 11, 2017
“THE NEXT WANNACRY” VULNERABILITY IS HERE
* Check Point Research Publications
January 11, 2018
‘RUBYMINER’ CRYPTOMINER AFFECTS 30% OF WW NETWORKS
* Check Point Research Publications
* Global Cyber Attack Reports
* Threat Research
February 17, 2020
“THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN
* Check Point Research Publications
August 11, 2017
“THE NEXT WANNACRY” VULNERABILITY IS HERE
* Check Point Research Publications
January 11, 2018
‘RUBYMINER’ CRYPTOMINER AFFECTS 30% OF WW NETWORKS
* Check Point Research Publications
* Global Cyber Attack Reports
* Threat Research
February 17, 2020
“THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN
* Check Point Research Publications
August 11, 2017
“THE NEXT WANNACRY” VULNERABILITY IS HERE
* 1
* 2
* 3
* Publications
* Global cyber attack reports
* Research publications
* IPS advisories
* Check point blog
* Demos
* Tools
* Sandblast file analysis
* ThreatCloud
* Threat Intelligence
* Zero day protection
* Live threat map
* About Us
* Contact Us
LET’S GET IN TOUCH
Subscribe for cpr blogs, news and more
Subscribe Now
© 1994-2024 Check Point Software Technologies LTD. All rights reserved.
Property of CheckPoint.com
Privacy Policy
SUBSCRIBE TO CYBER INTELLIGENCE REPORTS
First Name
Last Name
Country—Please choose an option—ChinaIndiaUnited
StatesIndonesiaBrazilPakistanNigeriaBangladeshRussiaJapanMexicoPhilippinesVietnamEthiopiaEgyptGermanyIranTurkeyDemocratic
Republic of the CongoThailandFranceUnited KingdomItalyBurmaSouth AfricaSouth
KoreaColombiaSpainUkraineTanzaniaKenyaArgentinaAlgeriaPolandSudanUgandaCanadaIraqMoroccoPeruUzbekistanSaudi
ArabiaMalaysiaVenezuelaNepalAfghanistanYemenNorth
KoreaGhanaMozambiqueTaiwanAustraliaIvory CoastSyriaMadagascarAngolaCameroonSri
LankaRomaniaBurkina
FasoNigerKazakhstanNetherlandsChileMalawiEcuadorGuatemalaMaliCambodiaSenegalZambiaZimbabweChadSouth
SudanBelgiumCubaTunisiaGuineaGreecePortugalRwandaCzech
RepublicSomaliaHaitiBeninBurundiBoliviaHungarySwedenBelarusDominican
RepublicAzerbaijanHondurasAustriaUnited Arab
EmiratesIsraelSwitzerlandTajikistanBulgariaHong Kong (China)SerbiaPapua New
GuineaParaguayLaosJordanEl SalvadorEritreaLibyaTogoSierra
LeoneNicaraguaKyrgyzstanDenmarkFinlandSlovakiaSingaporeTurkmenistanNorwayLebanonCosta
RicaCentral African RepublicIrelandGeorgiaNew ZealandRepublic of the
CongoPalestineLiberiaCroatiaOmanBosnia and HerzegovinaPuerto
RicoKuwaitMoldovMauritaniaPanamaUruguayArmeniaLithuaniaAlbaniaMongoliaJamaicaNamibiaLesothoQatarMacedoniaSloveniaBotswanaLatviaGambiaKosovoGuinea-BissauGabonEquatorial
GuineaTrinidad and
TobagoEstoniaMauritiusSwazilandBahrainTimor-LesteDjiboutiCyprusFijiReunion
(France)GuyanaComorosBhutanMontenegroMacau (China)Solomon IslandsWestern
SaharaLuxembourgSurinameCape VerdeMaltaGuadeloupe (France)Martinique
(France)BruneiBahamasIcelandMaldivesBelizeBarbadosFrench Polynesia
(France)VanuatuNew Caledonia (France)French Guiana (France)Mayotte
(France)SamoaSao Tom and PrincipeSaint LuciaGuam (USA)Curacao (Netherlands)Saint
Vincent and the GrenadinesKiribatiUnited States Virgin Islands
(USA)GrenadaTongaAruba (Netherlands)Federated States of MicronesiaJersey
(UK)SeychellesAntigua and BarbudaIsle of Man (UK)AndorraDominicaBermuda
(UK)Guernsey (UK)Greenland (Denmark)Marshall IslandsAmerican Samoa (USA)Cayman
Islands (UK)Saint Kitts and NevisNorthern Mariana Islands (USA)Faroe Islands
(Denmark)Sint Maarten (Netherlands)Saint Martin (France)LiechtensteinMonacoSan
MarinoTurks and Caicos Islands (UK)Gibraltar (UK)British Virgin Islands
(UK)Aland Islands (Finland)Caribbean Netherlands (Netherlands)PalauCook Islands
(NZ)Anguilla (UK)Wallis and Futuna (France)TuvaluNauruSaint Barthelemy
(France)Saint Pierre and Miquelon (France)Montserrat (UK)Saint Helena, Ascension
and Tristan da Cunha (UK)Svalbard and Jan Mayen (Norway)Falkland Islands
(UK)Norfolk Island (Australia)Christmas Island (Australia)Niue (NZ)Tokelau
(NZ)Vatican CityCocos (Keeling) Islands (Australia)Pitcairn Islands (UK)
Email
WE VALUE YOUR PRIVACY!
BFSI uses cookies on this site. We use cookies to enable faster and easier
experience for you. By continuing to visit this website you agree to our use of
cookies.
ACCEPT
REJECT
This website uses cookies in order to optimize your user experience as well as
for advertising and analytics. For further information, please read our Privacy
Policy and ourCookie Notice.
DISMISS
Manage Preferences
404 Not Found
404 NOT FOUND
--------------------------------------------------------------------------------
nginx
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Back Button
PERFORMANCE COOKIES
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Reject All Confirm My Choices