Gaza Cybergang Comes again With New Attacks On Palestinian Authority

July 12, 2018

 

Safety scientists from Check Point Threat Intelligence Team have found out the return of an APT (advanced persistent threat) inspection group aiming at organizations across the Middle East, particularly the Palestinian Authority.

The attack, called “Big Bang,” starts with a phishing electronic mail transmitted to targeted sufferers that include an attachment of a self-extracting collection having two files—a Word document and a malevolent executable.

Pretending to be from the Palestinian Political and National Guidance Commission, the Word document works as a trap to divert sufferers while the malware is installed in the background.

The malevolent executable, which runs in the background, acts as the first phase info-stealer malware intended for intelligence gathering to find possible sufferers (on the basis of what is vague as of now), and after that, it consequently downloads the second phase malware intended for spying.

The malware is able to send a great deal of information from the infected appliances to the attackers’ Command and Control server, comprising screenshots of the infected computer, a list of files with file extensions including .doc, .odt, .xls, .ppt, .pdf and more, and logging particulars regarding the system.

 

In addition to this, the malware also contains some more modules to perform any file it gets from the server, count running procedures, end a running procedure by name, as well as send a list of partitions found on the infected appliance.

The malware also contains modules to self-destruct itself by erasing the payload from the startup folder and erasing the actual file, and reboot the infected system.

Scientists think these attacks might be connected to the Gaza Cybergang APT group, an Arabic-language, politically-inspired cybercriminal group, which is working since 2012 and targeted oil and gas organizations in the Middle East/North African region.

Nevertheless, as per the scientists, it is still not yet confirmed precisely which threat group is at the back of this campaign.