Arabic-speaking cyberspies targeting BOFHs with crude but effective attacks

Special file names and domains are key

An Arabic-speaking cyber-espionage group, active since 2012, has stepped up its attacks over the last six months, according to new research from Kaspersky Lab.

The so-called "Gaza cyber-gang" focuses on attacking government entities, especially embassies, and primarily targets information technology and incident response staff. It operates in the Middle East and North Africa region, targeting mainly Egypt, the UAE, and Yemen.

The hackers' main stock-in-trade involves sending malware-laced files to IT and IR staff (i.e. spear-phishing). IT personnel are targeted because they work with elevated permissions inside organisations necessary to manage and operate IT infrastructures.

Hijacking accounts run by admins therefore makes it easier for spies and criminal hackers to gain access to sensitive systems.

Individuals working within incident response are prime targets as they also have access to a wealth of sensitive data relating to ongoing cyber investigations within their organisations, as well as special access and permissions enabling them to hunt for malicious or suspicious activities, Kaspersky Lab adds.

Despite the fact they are targeting high-level entities such as governments, the Gaza team uses well-known remote administration tools (RATs) – XtremeRAT and PoisonIvy – distributed through targeted and maliciously laced emails, so fairly basic hacking tactics really.

What the group lacks in coding sophistication they make up for with well crafted social engineering tricks, using special file names, content and domain names (e.g. gov.uae.k*m) that help the group in their hunt for targets.

Kaspersky Lab cites examples of file names that have delivered malware to a victim’s machine, which include:

  • “Indications of disagreement between Saudi Arabia and UAE.exe”
  • “Wikileaks documents on Sheikh.exe”
  • “Scandalous pictures of Egyptian militants, judges and consultants”
  • “President Mahmoud Abbas cursing Majed Faraj.exe”
  • “Leaked conversation with the Egyptian leader of military forces Sodqi Sobhi.exe”
  • “Military Police less military sexual offenses, drug offenses more.exe”

“According to the list of targets, which includes government entities in the Middle East and North Africa region, we’re witnessing politically motivated cyber-attacks,” Mohammad Amin Hasbini, senior security researcher, global research & analysis team, Kaspersky Lab, explained.

“By gaining control of computers with greater access to the system, the cyber-criminals increase their chances of stealing valuable information and are much more likely to cause significant damage,” he added.

Kaspersky Lab is reluctant to get into speculation about who might be behind the attack. “As attribution is the most complicated – often impossible – task when analysing a malicious cyber-campaign, we don’t as yet know who is behind it,” Amin Hasbini added.

More details on the Gaza cyber-gang and its ongoing campaign can be found in a post on Kaspersky Lab’s Securelist.com blog here. ®




Biting the hand that feeds IT © 1998–2018