Welcome to Smokey's Security Forums.
As a guest you only have limited access to the board and it's features, please consider registering to gain full access!
Registration is free and it only takes a few moments to complete.

Smokey's Security Forums

Please login or register.

Login with username, password and session length
Advanced search  

News:

New Spider ransomware threatens to delete your files if you don't pay within 96 hours

Attackers behind new ransomware campaign are offering a "really easy" tutorial video in order to ensure they make money from their criminal activities.

New Spider ransomware threatens to delete your files if you don't pay within 96 hours

Malware Log Analysis & Removal Help * Ransomware Encryption & Decrytion Techniques * Official Jetico Inc. Support Forums

Share this topic on FacebookShare this topic on MySpaceShare this topic on RedditShare this topic on TwitterAuthorTopic: Gaza Cybergang – updated 2017 activity  (Read 37 times)

0 Members and 1 Guest are viewing this topic.

ScarlettTopic starter

  • Updates Moderator
  • *
  • Offline Offline
  • location: Cymru
  • Posts: 22592
Gaza Cybergang – updated 2017 activity
« Reply #1 on: October 30, 2017, 11:16:12 AM »
Gaza Cybergang – updated 2017 activity
30 October 2017, 10:00 am



Summary information

Gaza cybergang is an Arabic politically motivated cyber criminal group, operating since 2012 and is actively targeting the MENA (Middle East North Africa) region. Gaza cybergang attacks have never slowed down, typical targets include: governments entities/embassies, oil and gaz, media/press, activists, politicians, diplomats.

One of the interesting new facts starting from Mid-2017 is their discovery inside an Oil and Gas organization in the MENA region, infiltrating systems and pilfering data for more than a year. Another interesting finding is the usage of the recent CVE 2017-0199 vulnerability and Microsoft Access files with embedded download scripts starting, helping attackers maintain low detection rates for the latter. Traces of mobile malware are also being investigated, which started showing up from in April 2017.

Recent targets by the group does seem to be varied in nature, attackers do not seem to be selectively choosing targets, but rather seeking different kinds of MENA intelligence.

Some of the interesting new updates about Gaza cybergang:

Gaza cybergang attackers have continued interest in governmental entities in MENA

New identified targets include Oil and Gaz in MENA

New tools and techniques include

Abuse of the CVE 2017-0199 vulnerability

Usage of macros inside Microsoft Access files, enabling lower detection rates

Possible Android mobile malware being used by attackers

Previous published research:

Gaza cybergang, where’s your IR team?

Kaspersky Lab products and services successfully detect and block Gaza cybergang attacks, detection names below:

HEUR:Exploit.MSOffice.Generic

HEUR:Trojan.Win32.Cometer.gen

HEUR:Trojan.Win32.Generic

Trojan-Downloader.Win32.Downeks

Trojan-Spy.MSIL.Downeks

Win32.Bublik

Win32.Agentb

More information about Gaza cybergang is available to customers of Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com

Technical details

Gaza cybergang attacks were previously surprisingly successful in utilising simple and common tools to achieve their goals, they rely on a variety of Remote Access Trojans (RATs), to perform their activities, including Downeks, Qasar, Cobaltstrike…

Though as recent as June 2017, attackers have started utilizing the CVE 2017-0199 vulnerability which enables direct code execution abilities from a Microsoft office document on non-patched victim systems(Cobaltstrike payload in this case). Another finding is a possible Android trojan that the attackers have positioned on one of their command servers starting from April 2017.

In most cases, malware is sent by email as compressed attachment or download links, in newer cases we have observed downloaders or Microsoft office documents with embedded macros being sent to victims starting from March 2017; when opened, the downloader would contact a URL or IP address to retrieve the actual payload. Once executed successfully, the malware grants full access to the attackers, providing them with the ability to collect files, keystrokes and screenshots from victim’s devices. If the initial downloaded malware was detected on the victim, the downloader would attempt to retrieve other malware files to victim’s device, in a attempt for one of those files to work.

The full list of indicators of compromise (IOCs) can be found in Appendix I. The list of the most interesting lure content, malware files and related droppers, command servers can be found in Appendix II.

Summary of recent campaigns

Below can be found the list of recent findings related to Gaza cybergang operations:

Command and control server

Hash

First seen

File name/Social engineering lure

upgrade.newshelpyou[.]com

552796e71f7ff304f91b39f5da46499b

25-07-2017

nvStView.exe

6fba58b9f9496cc52e78379de9f7f24e

23-03-2017

صور خاصة.exe

(Translation: Special photos)

eb521caebcf03df561443194c37911a5

03-04-2017

صور خاصة.exe

(Translation: Special photos)

moreoffer[.]life

66f144be4d4ef9c83bea528a4cd3baf3

27-05-2017

تصريح لأمير قطر واتهام الإمارات في اختراق وكالة الأنباء.exe

(Translation: A statement by the Emir of Qatar accusing the UAE of breaking the news agency)

3ff60c100b67697163291690e0c2c2b7

11-05-2017

MOM.InstallProxy.exe

b7390bc8c8a9a71a69ce4cc0c928153b

05-04-2017

تعرف على المنقبة التي أساءت للسعودية

(Translation: Learn about the woman wearing niqab which offended Saudi)

f43188accfb6923d62fe265d6d9c0940

21-03-2017

Gcc-Ksa-uae.exe

056d83c1c1b5f905d18b3c5d58ff5342

16-03-2017

مراسلة بخصوص اجتماع رؤساء البعثات.exe

(Translation: Correspondence regarding the meeting of Heads of Missions)

138.68.242[.]68

87a67371770fda4c2650564cbb00934d

20-06-2017

hamas.doc

نقاط اتفاق حماس وتيار فتح الاصلاحي.doc

(Translation: the points of agreement between Hamas and the reformist Fateh movement)

محضر اجتماع مركزية فتح الليلة.doc

(Translation: minutes of the tonight meeting)

سلفة أم راتب للموظفين يوم الثلاثاء المقبل؟.doc

(Translation: An advance on s*l*r* or full s*l*r* for employees next Tuesday?)

lol.mynetav[.]org

4f3b1a2088e473c7d2373849deb4536f

20-06-2017

Notepad.exe

attachment.scr

https://drive.google.com/uc?export=download&id=0B1NUTMCAOKBTdVQzTXlUNHBmZUU

signup.updatesforme[.]club

7d3426d8eb70e4486e803afb3eeac14f

04-05-2017

Palestinian Retirement Authority Ramallah.exe

0ee4757ab9040a95e035a667457e4bc6

27-04-2017

27-4-2017 Fateh Gaza plo.exe

ping.topsite[.]life

b68fcf8feb35a00362758fc0f92f7c2e

19-03-2017

Downloaded by Macro in MDB files:

http://download.data-server.cloudns[.]club/indexer.exe

7bef124131ffc2ef3db349b980e52847

13-03-2017

الأخ اسماعيل هنية -نائب رئيس المكتب السياسي .exe

(Translation: Brother Ismail Haniyeh – Deputy Head of the Political Bureau)

d87c872869023911494305ef4acbd966

19-03-2017

Downloaded by Macro in MDB files: http://download.data-server.cloudns[.]club/wordindexer.exe

a3de096598e3c9c8f3ab194edc4caa76

12-04-2017

viewimages.exe

c078743eac33df15af2d9a4f24159500

28-03-2017

viewimages.exe

70d03e34cadb0f1e1bc6f4bf8486e4e8

30-03-2017

download-file.duckdns[.]org/send/Egyptian_agreement_with_President_Mahmoud_Abbas.exe

67f48fd24bae3e63b29edccc524f4096

17-04-2017

http://alasra-paper.duckdns[.]org/send/رسالة_وفد_الرئيس ابومازن_لحماس_في قطاع_غزة.rar

(Message from President Abu Mazen to Hamas in Gaza Strip)

7b536c348a21c309605fa2cd2860a41d

17-04-2017

http://alasra-paper.duckdns[.]org/send/ورقة_الاسرى_المقدمة_لفك_الاضراب .rar

(Translation: captives paper submitted to stop the strike)

alasra-paper.duckdns[.]org

Mobile malware N/A

23-04-2017

Possible Android malware. http://alasra-paper.duckdns[.]org/send/%D9%88%ket-Edition-1.04_ApkHouse.com/Dont-Starve-Pocket-Edition-1.04_ApkHouse.com.apk

hamas-wathaq.duckdns[.]org

cf9d89061917e9f48481db80e674f0e9

16-04-2017

وثائق تنشر لأول مره عن حكم حماس لقطاع غزه .exe

(Translation: Documents published for the first time on Hamas ruling of Gaza Strip)

manual.newphoneapp[.]com

86a89693a273d6962825cf1846c3b6ce

02-02-2017

SQLiteDatabaseBrowserPortable.exe

3f67231f30fa742138e713085e1279a6

02-02-2017

SQLiteDatabaseBrowserPortable.exe

The above listed files are further described in Appendix 1.

New findings

Gaza Cybergang attackers have been continuously evolving their skills on different levels, utilising new methods and techniques to deliver malware in addition to politically adapting social engineering decoys to regional political and humanitarian occurrences.

One of the interesting new facts starting from Mid-2017 is their discovery inside an Oil and Gas organization in the MENA region, infiltrating systems and pilfering data for more than a year, malware files found were found to be from our previously published research

While traces of Android mobile malware have been witnessed, attackers have continuously utilized the Downeks downloader and the Quasar or Cobaltstrike to target Windows devices, enabling them remote access spying and data exfiltration abilities, though now more efficient when utilizing the CVE 2017-0199 vulnerability which enables direct code execution abilities from a Microsoft office document on non-patched victim Windows systems. The use of Microsoft Access database files have also enabled the attackers to maintain low levels of detection, as it’s not an uncommon method to deliver malware.

These developments have helped the attackers continue their operations, targeting a variety of victims and organizations, sometimes even bypassing defences and persisting for prolonged periods.

1. The extended utilisation of humanitarian and political social engineering causes in the attacks

Attackers have continuously targeted victims and organizations in government entities/embassies, oil and gas, media/press, activists, politicians, diplomats.

Gaza cybergang is increasingly relying on advanced and up-to-date social engineering techniques with political and humanitarian aspects that reflect on direct regional occurrences, here is a small list of incidents that was utilized multiple time each:

Palestinian Government not paying s*l*r**s for Gaza employees

Palestinian prisoners’ hunger strike in Israeli jails

The political crisis in Qatar

Recent targets by the group does seem to be varied in nature, attackers do not seem to be selectively choosing targets, but rather seeking any type of intelligence.

Example lure

MD5: 66f144be4d4ef9c83bea528a4cd3baf3

تصريح لأمير قطر واتهام الإمارات في اختراق وكالة الأنباء.exe

(Translation: A statement by the Emir of Qatar accusing the UAE of breaking the news agency)

Attackers are recently utilising political events related to the Qatar political crisis in the Middle East targeting their victims.

Original filename:Qatar-27-5-2017.rar

Extracts to 66f144be4d4ef9c83bea528a4cd3baf3

تصريح لأمير قطر واتهام الإمارات في اختراق وكالة الأنباء.exe

Sha256 7fcac2f18a8844e4af9f923891cfb6f637a99195a457b6cdb916926d709c6a04

C2: moreoffer[.]life

First seen: 27 May 2017



Translation: new details on the hack of the Qatar News Agency

2. The use of Microsoft Access files with macros

Microsoft Access file with macro is another new development by the attackers group, Ms access database embedded Macros are proving to provide very low detection.

MD5: 6d6f34f7cfcb64e44d67638a2f33d619

Filename: GAZA2017.mdb

C1: http://download.data-server.cloudns[.]club/GAZA2017.mdb

Downloads and executes:

data-server.cloudns[.]club/wordindexer.exe

data-server.cloudns[.]club/indexer.exe



Translation: database of employees not receiving s*l*r**s, click “enable content” to see data



Decrypted code

3. Exploitation of the CVE 2017-0199 vulnerability

MD5: 87a67371770fda4c2650564cbb00934d

First seen: 20-06-2017

Filenames:

hamas.doc

نقاط اتفاق حماس وتيار فتح الاصلاحي.doc (Translation: the points of agreement between Hamas and the reforment Fateh movement)

محضر اجتماع مركزية فتح الليلة.doc (Translation: minutes of the tonight Fateh meeting)

سلفة أم راتب للموظفين يوم الثلاثاء المقبل؟.doc (Translation: An advance on s*l*r* or full s*l*r* for employees next Tuesday?)

The attacks are typical exploitation of CVE-2017-0199 starting from an email, distributing a malicious RTF document.The vulnerability is then in the code that handles Ole2Link embedded objects, which allows Microsoft office Word to run remote files, downloaded from 138.68.242[.]68 in this case. The downloaded payload is Cobaltstrike, which then connects to lol.mynetav[.]org to receive commands from attackers. Additional details on the CVE 2017-0199 usage with Cobaltstrike by Gaza cybergang can be found here: http://bobao.360.cn/learning/detail/4193.html

4. Possible Android mobile malware

Traces of APK files have been seen on one of the attackers command centers starting from 23-04-2017.

URL: http://alasra-paper.duckdns[.]org/send/%D9%88%ket-Edition-1.04_ApkHouse[.]com/Dont-Starve-Pocket-Edition-1.04_ApkHouse[.]com.apk



The file name (Dont-Starve-Pocket-Edition-1.04_ApkHouse[.]com.apk), is an Android application file hiding as a popular game. We believe the android trojan could be related to previously investigated Android trojan around Gaza strip

Conclusion

Gaza Cybergang has demonstrated a large number of attacks, advanced social engineering, in addition to the active development of attacks, infrastructure and the utilization of new methods and techniques. Attackers are actively improving their toolkit in an effort to minimize their exposure to security products and services. Kaspersky Lab expects these types of attacks to intensify even more both in quality and quantity in the near term.

In order to protect your company from malware, Kaspersky Lab researchers recommend implementing the following measures:

Educating staff to be able to distinguish spear-phishing emails or a phishing link from legitimate emails and links

Use proven corporate grade security solution in combination with anti-targeted attacks solutions capable of catching attacks by analyzing network anomalies

Providing security staff with access to latest threat intelligence data, which will arm them with helpful tools for targeted attacks prevention and discovery, such as Indicators of compromise and YARA rules

Making sure enterprise grade patch management processes are well established and executed.

More information about Gaza cybergang is available to customers of Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com

Appendix 1: malware files descriptions and decoys

In the following, we list found description of malware files starting from March 2017, including decoys used, first dates files seen, parent files…

b7390bc8c8a9a71a69ce4cc0c928153b

Parent file: 970e6188561d6c5811a8f99075888d5f 5-4-2017.zip

C2: moreoffer[.]life

First seen: 5 April 2017



Translation: Get to know the women wearing niqab and talking bad about the kingdom

f43188accfb6923d62fe265d6d9c0940

Filename: Gcc-Ksa-uae.exe

C2: moreoffer[.]life (185.11.146[.]68)

First Seen: 21 March 2017



Translation: the permanent delegation of the cooperation council for the Arab states of the Gulf (GCC) to the United Nation and other international organizations, Geneva

056d83c1c1b5f905d18b3c5d58ff5342

مراسلة بخصوص اجتماع رؤساء البعثات.Filename: exe

Translation: Correspondence regarding the meeting of Heads of Missions (Saudi related)

Parent file: fb549e0c2fffd390ee7c4538ff30ac3e

C2: moreoffer[.]life

First Seen: 16 March 2017



Translation: The fourth foreign meeting of the Kingdom’s head of missions under the title “message of the embassador”.

0ee4757ab9040a95e035a667457e4bc6

Filename: 27-4-2017 Fateh Gaza plo.exe

C2: signup.updatesforme[.]club

First seen 27 April 2017



Translation: Clarification report

7bef124131ffc2ef3db349b980e52847

الأخ اسماعيل هنية -نائب رئيس المكتب السياسي .exe

(Translation: Brother Ismail Haniyah – Deputy Head of the Political Bureau)

C2: ping.topsite[.]life

First seen: 14 March 2017



Translation: Brother Ismail Haniyah – Deputy Head of the Political Bureau

70d03e34cadb0f1e1bc6f4bf8486e4e8

download-file.duckdns[.]org/send/Egyptian_agreement_with_President_Mahmoud_Abbas.exe

C1: download-file.duckdns[.]org

C2: ping.topsite[.]life

First seen: 30 March 2017



Translation: methods to apply the palestinian national agreement pact.

67f48fd24bae3e63b29edccc524f4096

C1: http://alasra-paper.duckdns[.]org/send/رسالة_وفد_الرئيس ابومازن_لحماس_في قطاع_غزة.rar

C2: ping.topsite[.]life

RAR extracts to: 5d74487ea96301a933209de3d145105d

رسالة_وفد_الرئيس ابومازن_لحماس_في قطاع_غزة.exe

First seen: 17 April 2017



Translation: a severely threatening message from Abbas’s delegation to Hamas

7b536c348a21c309605fa2cd2860a41d

C1: http://alasra-paper.duckdns[.]org/send/ورقة_الاسرى_المقدمة_لفك_الاضراب .rar

Extracts to: d973135041fd26afea926e51ce141198, named (RTLO technique):

ورقة الاسرى المقدمة لفك الاضراب .exe

Translation:  captives paper submitted to stop the strike

C2:ping.topsite[.]life

First seen: 17 April 2017



Translation: The primary demands of the captives in the strike of freedom and dignity

9cf9d89061917e9f48481db80e674f0e9

وثائق تنشر لأول مره عن حكم حماس لقطاع غزه .exe     c11516cd8c797f0182d63cdf343d08ed

Translation: Documents published for the first time on Hamas ruling of Gaza Strip

C1: http://hamas-wathaq.duckdns[.]org/send/وثائق_تنشر_لأول_مره_عن_حكم_حماس_لقطاع_غزه.rar

C2:ping.topsite[.]life

First seen: 16 April 2017



Translation: Scandals and facts published for the first time on Hamas’s ruling of Gaza Strip

Appendix 2: List of IOCs

Malicious domain names

moreoffer[.]life

signup.updatesforme[.]club

ping.topsite[.]life

alasra-paper.duckdns[.]org

hamas-wathaq.duckdns[.]org

download.data-server.cloudns[.]club

upgrade.newshelpyou[.]com

manual.newphoneapp[.]com

hnoor.newphoneapp[.]com

lol.mynetav[.]org

IP addresses

138.68.242[.]68

185.86.149[.]168

185.11.146[.]68

45.32.84[.]66

45.32.71[.]95

107.161.27[.]158

46.246.87[.]74

Hashes

MD5

87a67371770fda4c2650564cbb00934d

4f3b1a2088e473c7d2373849deb4536f

c078743eac33df15af2d9a4f24159500

3ff60c100b67697163291690e0c2c2b7

a3de096598e3c9c8f3ab194edc4caa76

7d3426d8eb70e4486e803afb3eeac14f

3f67231f30fa742138e713085e1279a6

552796e71f7ff304f91b39f5da46499b

6fba58b9f9496cc52e78379de9f7f24e

eb521caebcf03df561443194c37911a5

b68fcf8feb35a00362758fc0f92f7c2e

d87c872869023911494305ef4acbd966

66f144be4d4ef9c83bea528a4cd3baf3

B7390bc8c8a9a71a69ce4cc0c928153b

F43188accfb6923d62fe265d6d9c0940

056d83c1c1b5f905d18b3c5d58ff5342

0ee4757ab9040a95e035a667457e4bc6

7bef124131ffc2ef3db349b980e52847

70d03e34cadb0f1e1bc6f4bf8486e4e8

67f48fd24bae3e63b29edccc524f4096

7b536c348a21c309605fa2cd2860a41d

cf9d89061917e9f48481db80e674f0e9

6d6f34f7cfcb64e44d67638a2f33d619

86a89693a273d6962825cf1846c3b6ce

5472d0554a0188c0ecebd065eddb9485

SHA256

0b6fe466a3ba36895208e754b155a193780c79ba8b5c1c9f02c4f7e479116e5f

0c4aa50c95c990d5c5c55345626155b87625986881a2c066ce032af6871c426a

0d235478ae9cc87b7b907181ccd151b618d74955716ba2dbc40a74dc1cdfc4aa

1f2b128d26a58a572ea1faee2c4d9dc759eb8add16d9ad0547b3f0305fea212a

205f32cc717c2d82baeff9ff5aa9fc31967b6ae5cde22fafe14aec9c9ec62acc

284af7a2fafdbff3bbc28b9075f469d2352758b62d182b0e056d29ee74688126

344dc6ece5a6dacce9050a65305d4b34865756051a6f414477b6fa381e1c1b63

42e4298f5162aba825309673187e27121e3f918238e81f3a6e021c03f3455154

44a8d0561a9cc6e24d6935ff4c35b7b7db50c4001eb01c48ea1cfd13253bc694

57a12f20c6bbd69b93e76d6d5a31d720046b498aa880b95b85a4f3fda28aac4f

72b039550d31afaeee11dedf7d80333aeda5c504272d426ae0d91bc0cd82c5b0

72d2ad8f38e60c23c96698149507fc627664a5706a4431b96014fbf25495b529

788f7fd06030f87d411c61efbc52a3efca03359570353da209b2ce4ccf5b4b70

7fcac2f18a8844e4af9f923891cfb6f637a99195a457b6cdb916926d709c6a04

84adba3c81ad1c2a8285c31d1171f6f671492d9f3ed5ee2c7af326a9a8dc5278

852ccc491204f227c3da58a00f53846296454d124b23021bdb168798c8eee2fb

86bd78b4c8c94c046d927fb29ae0b944bf2a8513a378b51b3977b77e59a52806

9347a47d63b29c96a4f39b201537d844e249ac50ded388d66f47adc4e0880c7e

b597d7b5b9c2f1962257f912e911961ad0da4c28fc6a90a0b7db4e242aa007d8

bfb88878a22c23138a67cc25872e82d77e54036b846067ddc43e988c50379915

c23f715c8588c8d8725352ed515749389d898996107132b2d25749a4efc82a90

c47bc2c15f08655d158bb8c9d5254c804c9b6faded526be6879fa94ea4a64f72

db53b35c80e8ec3f8782c4d34c83389e8e9b837a6b3cc700c1b566e4e4450ec2

dd9debe517717552d7422b08a477faa01badbcc4074830c080a1a1c763e1a544

b800d29d6e1f2f85c5bc036e927c1dae745a3c646389599b0754592d76b5564b



Source: Securelist - Information about Viruses, Hackers and Spam

>> To obtain the full Kaspersky Lab Securelist article, click the link in the first post line <<
 

* Permissions
You can't post new topics.
You can't post replies.
You can't post attachments.
You can't modify your posts.
BBCode Enabled
Smilies Enabled
[img] Enabled
HTML Disabled


Except where otherwise stated, all content, graphics, banners and images included © 2006 - 2017 Smokey Services™ -- All rights reserved
Design board graphics, banners and images by Meg&Millie - Emma aka Tinker

This site does not store profiling-, tracking-, third-party and/or any other non-essential cookie(s) on client computers and is fully compliant with the EU ePrivacy Directive
Smokey's does not use any Web Analytics/Analysis Service, and also does not use any browser fingerprinting techniques

    

  

Smokey's also provides free fully qualified FRST (Farbar Recovery Scan Tool) Log / Malware Analysis & Removal Help and System Health Checks
rifle
rifle
rifle
rifle