Pro-Hamas Cybergang Develops New and Complex Infection Tactic

image provided by pixabay

This post is also available in: עברית (Hebrew)

This threat actor is now using an infection chain based on delivering a new initial access downloader dubbed IronWind, as was observed by cybersecurity company Proofpoint.

The Gaza Cybergang, also known as TA402, Molerats, Frankenstein, and Write, has reportedly evolved in its tactics targeting Israel and other West Asian and North African government entities and is currently operating in the interest of the Palestinian Territories. The gang has recently acquired the “IronWind” initial access downloader, which is used to download shellcodes to infected systems. They have also adjusted their delivery methods to using XLL and RAR file attachments in their phishing campaigns, instead of the previously used Dropbox links.

Proofpoint researchers have been tracking the group since 2020, and report that the infection chain is very complex. Ever since July 2023, the gang used variations of Dropbox links, XLL file attachments, and RAR file attachments to make users download multifunctional malware.

Nevertheless, despite the current conflict in the region, Proofpoint hasn’t observed any changes in TA402 targeting or seen any indications that their goals are changing.

According to Cybernews, TA402 has recently engaged in a phishing campaign using a compromised Ministry of Foreign Affairs email account to target West Asian government entities. The emails reportedly used economic-themed social engineering lures and delivered malicious links or files containing macros that installed three files, including the IronWind.

The IronWind files then start communicating with the control and command server that provides shellcode for the third stage of infection, which Proofpoint’s analysis showed served as a multipurpose loader.

The researchers explained that TA402 makes its detection more difficult by using geofencing techniques. Even with the more elaborate infection chains, the group includes URLs that redirect to decoy documents hosted on legitimate document hosting platforms, if the geofencing is not bypassed.

Proofpoint researchers assess that TA402 operates in support of Palestinian espionage objectives with a focus on intelligence collection, and warn that the cybergang remains persistent and innovative, routinely retooling its attack methods and malware.