Thread:

longstanding threat actor affiliated with Hamas has been conducting espionage against governments across the Middle East and destructive wiper attacks in Israel.

"Wirte" is a 6 1/2-year-old advanced persistent threat (APT) working to support Hamas' political agenda. Check Point Research identifies it as a subgroup of the Gaza Cybergang (aka Molerats), which is also thought to overlap with TA402.

In recent weeks and months, Wirte has leveraged the Gaza war to spread phishing attacks against government entities spread across the region. It has also been carrying out wiper attacks in Israel. "It shows that Hamas still has cyber capabilities, even with the ongoing war," says Sergey Shykevich, threat intelligence group manager at Check Point.

research.checkpoint.com/2024/h

Last month, Wirte puppetted the email address of a legitimate Israeli reseller of ESET software. Its lure message — sent to hospitals, municipal governments, and others — warned recipients that "Government-based attackers may be trying to compromise your device!" and included a download link.

The link first tried to connect to the website for Israel's Home Front Command, a wing of the Israel Defense Forces (IDF) responsible for protecting civilians. Its site is accessible only to those within Israel, so if the redirection succeeded, the attack would proceed.

counter.social/@ecksmc/1133350

Next, a downloaded zip file dropped and decrypted a pro-Hamas wallpaper JPG, a propaganda video, a tool designed to enable lateral movement within targeted networks, and the SameCoin wiper.

Follow

Wirte has sometimes made use of the IronWind loader, starting in October 2023. IronWind uses a complex, multistage infection chain to drop malware, with the goal of frustrating analysis. It employs geofencing, and reflective loaders that run code directly in memory, rather than on the disk, where it might otherwise be spotted by antivirus software.

From Nov 2023

TA402 (aka Molerats and Frankenstein), which has been active for more than a decade, rolled out a new sophisticated tool named IronWind, which it used in three campaigns aimed at compromising systems within government agencies throughout the Middle East and Northern Africa, security firm Proofpoint stated in an analysis published on Nov. 14.

proofpoint.com/us/blog/threat-

Sign in to participate in the conversation

CounterSocial is the first Social Network Platform to take a zero-tolerance stance to hostile nations, bot accounts and trolls who are weaponizing OUR social media platforms and freedoms to engage in influence operations against us. And we're here to counter it.