**⇄ Σ = Mᄃ² ⇆** @[email protected] · Nov 14, 2024, 07:18

**⇄ Σ = Mᄃ² ⇆** @[email protected] · Nov 14, 2024, 07:18

⇄ Σ = Mᄃ² ⇆ @[email protected]

Nov 14, 2024, 07:18

longstanding threat actor affiliated with Hamas has been conducting espionage against governments across the Middle East and destructive wiper attacks in Israel.

"Wirte" is a 6 1/2-year-old advanced persistent threat (APT) working to support Hamas' political agenda. Check Point Research identifies it as a subgroup of the Gaza Cybergang (aka Molerats), which is also thought to overlap with TA402.

**⇄ Σ = Mᄃ² ⇆** @[email protected] · Nov 14, 2024, 07:18

**⇄ Σ = Mᄃ² ⇆** @[email protected] · Nov 14, 2024, 07:18

Nov 14, 2024, 07:18

⇄ Σ = Mᄃ² ⇆ @[email protected]

In recent weeks and months, Wirte has leveraged the Gaza war to spread phishing attacks against government entities spread across the region. It has also been carrying out wiper attacks in Israel. "It shows that Hamas still has cyber capabilities, even with the ongoing war," says Sergey Shykevich, threat intelligence group manager at Check Point.

https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/

**⇄ Σ = Mᄃ² ⇆** @[email protected] · 2024-11-14T07:20:10Z

⇄ Σ = Mᄃ² ⇆ @[email protected]

Last month, Wirte puppetted the email address of a legitimate Israeli reseller of ESET software. Its lure message — sent to hospitals, municipal governments, and others — warned recipients that "Government-based attackers may be trying to compromise your device!" and included a download link.

Nov 14, 2024, 07:20 · 1· 0· 2

**⇄ Σ = Mᄃ² ⇆** @[email protected] · Nov 14, 2024, 07:20

**⇄ Σ = Mᄃ² ⇆** @[email protected] · Nov 14, 2024, 07:20

Nov 14, 2024, 07:20

⇄ Σ = Mᄃ² ⇆ @[email protected]

The link first tried to connect to the website for Israel's Home Front Command, a wing of the Israel Defense Forces (IDF) responsible for protecting civilians. Its site is accessible only to those within Israel, so if the redirection succeeded, the attack would proceed.

https://counter.social/@ecksmc/113335079089027236

Next, a downloaded zip file dropped and decrypted a pro-Hamas wallpaper JPG, a propaganda video, a tool designed to enable lateral movement within targeted networks, and the SameCoin wiper.

aa953ad349d7edaa.png?1731568824

**⇄ Σ = Mᄃ² ⇆** @[email protected] · Nov 14, 2024, 07:31

**⇄ Σ = Mᄃ² ⇆** @[email protected] · Nov 14, 2024, 07:31

Nov 14, 2024, 07:31

⇄ Σ = Mᄃ² ⇆ @[email protected]

Wirte has sometimes made use of the IronWind loader, starting in October 2023. IronWind uses a complex, multistage infection chain to drop malware, with the goal of frustrating analysis. It employs geofencing, and reflective loaders that run code directly in memory, rather than on the disk, where it might otherwise be spotted by antivirus software.

**⇄ Σ = Mᄃ² ⇆** @[email protected] · Nov 14, 2024, 07:31

**⇄ Σ = Mᄃ² ⇆** @[email protected] · Nov 14, 2024, 07:31

Nov 14, 2024, 07:31

⇄ Σ = Mᄃ² ⇆ @[email protected]

From Nov 2023

TA402 (aka Molerats and Frankenstein), which has been active for more than a decade, rolled out a new sophisticated tool named IronWind, which it used in three campaigns aimed at compromising systems within government agencies throughout the Middle East and Northern Africa, security firm Proofpoint stated in an analysis published on Nov. 14.

https://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government

Resources

Developers

What is CounterSocial?

counter.social

More…