Gaza Cybergang Group1, operation SneakyPastes

Gaza Cybergang(s) is a politically motivated Arabic-language cyberthreat actor, actively targeting the MENA (Middle East North Africa) region, especially the Palestinian Territories.

The confusion surrounding Gaza Cybergang’s activities, separation of roles and campaigns has been prevalent in the cyber community. For a while, the gang’s activities seemed scattered, involving different tools and methods, and different malware and infection stages, although there was an alignment in its goals…

During our 2018 monitoring of this group, we were able to identify different techniques utilized by very similar attackers in the MENA region, sometimes on the same target. The findings led to us distinguishing between three attack groups operating within Gaza Cybergang:

• Gaza Cybergang Group1 (classical low-budget group), also known as MoleRATs;
• Gaza Cybergang Group2 (medium-level sophistication) with links to previously known Desert Falcons;
• Gaza Cybergang Group3 (highest sophistication) whose activities previously went by the name Operation Parliament.

The groups use different styles and, in some cases, techniques, but deploy common tools and commands after initial infection. The three attack groups were identified sharing victims. For example, Group1 would deploy a script to infect a specific victim with malware belonging to Group2, or similarly between Group2 and Group3.

More information on previous Desert Falcons (Group2) and Operation Parliament (Group3) activities can be found below:

• Group2: ‘The Desert Falcons targeted attacks‘
• Group3: ‘Operation Parliament, who is doing what?‘

Additional findings on Gaza Cybergang Group2 and Group3 will be presented in future publications. For more information, please contact: intelreports@kaspersky.com

Summary

Gaza Cybergang Group1, described in this post, is the least sophisticated of the three attack groups and relies heavily on the use of paste sites (with the operation name SneakyPastes) in order to gradually sneak a remote access Trojan (RAT) or multiple, onto victim systems. The group has been seen employing phishing, with several chained stages to evade detection and extend command and control server lifetimes. The most popular targets of SneakyPastes are embassies, government entities, education, media outlets, journalists, activists, political parties or personnel, healthcare and banking.

In this post, we’ll take a closer look at Gaza Cybergang Group1, including:

1. Updated 2018/2019 tactics, techniques and procedures
2. Victimology of the group between Jan 2018 and Jan 2019
3. Historical checkpoints and politicized graphical decoys in Appendix I
4. Full list of indicators of compromise in Appendix II

Technical analysis

Through our continuous monitoring of threats during 2018, we observed a new wave of attacks by Gaza Cybergang Group1 targeting embassies and political personnel. Gaza Cybergang Group1 is an attack group with limited infrastructure and an open-source type of toolset, which conducts widespread attacks, but is nevertheless focused on Palestinian political problems. The attackers rely a lot on chained attack stages to evade quick detection and hide the communication infrastructure.

After an analysis of the samples, and through collaboration efforts with law enforcement agencies, we were able to uncover the full cycle of the intrusions that spread across the majority of the cyber kill chain, including but not limited to the toolset used, TTPs, infrastructure, action on objectives and the victimology. These efforts have led to the takedown of a large portion of the related infrastructure.

In this campaign, Gaza Cybergang used disposable emails and domains as the phishing platform to target the victims. Then pastebin.com, github.com, mailimg.com, upload.cat, dev-point.com and pomf.cat were used as channels for the different malware stages before achieving a full RAT implementation, which then communicates with the corresponding C2 server.

We have identified several implants that leveraged PowerShell, VBS, JS, and dotnet for resilience and persistence. The final stage, however, is a dotnet application that takes several commands such as directory listing, screenshot, compress, upload, etc. It then creates random long string folder names in temp directories to host the collected files per category before compressing, encrypting and uploading to the C2 server.

Spreading

The threat actor seemed able to spread attacks widely, but only deployed additional tools and data collection functions in specific cases, as though they had a target list or a filter for targeted victims. Phishing emails with political themes were used in the majority of the observed attack emails. These were necessary to lure the intended type of victims – people involved in politics.

In order to meet the phishing emails’ infrastructure requirements, disposable domains and emails were used as the delivery medium. On occasions, the phishing emails contained links to external domains to download the first stage, and sometimes the first stage was attached to the email itself.

If the user clicks on the link, he will be prompted to download a RAR file that contains the stage 1 malware/lure, which he will execute afterwards.

Intrusion life-cycle analysis

The diagram below displays at a high level the steps taken by typical Gaza Cybergang Group1 lure samples. While different samples may use different methods to infect (i.e. invoke PowerShell, VBS, .NET app downloader, etc.), they generally stick to the same scenario of a persistent RAT that steals data and uploads it to the C2 server despite the different hard-coded domains.

This sample ZIP file, which is similar to many other stage 1 downloaders in this campaign, contains an executable that is a compiled AutoIt script and which embeds some interesting functions (listed in the table below). The executable attempts to download a couple of files from different sources and saves them in the AppData and Startup folders for persistence, then invokes the first downloaded file – Picture2.exe.

Embedded functions

After analyzing the files downloaded from the above first stage malware, it was clear that the threat actor wanted to achieve stable persistence on the victim machine, and also used more than one technique to exfiltrate data. The analyzed samples had a lot of similarities in terms of the code used and especially in the persistence techniques.

Malware features

All the stages’ executables are created as chains to avoid detection and protect the C2 server. They consist mainly of persistence mechanisms and simple instructions despite their different forms (VBS scripts, PowerShell scripts, known software with open source code that can be backdoored, and in-house built dotnet apps). The RAT, however, had a multitude of functionalities (as listed in the table below) such as to download and execute, compress, encrypt, upload, search directories, etc. The threat actor’s main objective for using this RAT (known as Razy/NeD worm/Wonder Botnet) was obvious from the victim data that was collected – it was to search for specific file extensions such as PDF, DOC, DOCX, XLS, and XLSX, where they are compressed in RAR files per category, stored in temp directories within a folder named by victim ID (bot ID – long MD5 string), encrypted and uploaded to the C2.

Infrastructure

In 2018, the threat actor mostly relied on a single C2 server (192.169.7.250) and rotated a multitude of domain names over a period of time. However, the attacks different stages were hosted on a variety of free sites such as Mailimg, Github, Pastebin, dev-point.co, a.pomf.cat, and upload.cat.

The phishing email infrastructure though relied on disposable email providers such as bit-degree.com, mail4gmail.com, careless-whisper.com and others.

Victimology

Based on the analyzed metrics, the victims were spread across 39 countries and reached 240+ unique victims. The Palestinian Territories host the majority of the victims, followed by Jordan, Israel, then Lebanon, as noted in the below table.

The most targeted entities are embassies, government entities, education, media outlets, journalists, activists, political parties or personnel, healthcare and banking.

Conclusions

While Gaza Cybergang Group1 described in this post looks like a low sophistication group, with limited infrastructure and attack files that can be found in the wild, they are the most relentless in their attacks, with continuous targeting and high malleability. This has allowed the group to achieve reasonable success against a relatively wide array of victims.

Gaza Cybergang is evolving and adapting to the MENA region – a complex setting with complex requirements. The attacks are now divided into three groups with different levels of sophistication and different levels of targeting. We expect the damage caused by these groups to intensify and the attacks to extend into other regions that are also linked to the complicated Palestinian situation. The attackers also seem to be within reach of more advanced tools, techniques and procedures, and we expect them to rely more on these in future attacks. More information on Desert Falcons (Group2) and Operation Parliament (Group3) will be presented in future publications.

Appendix I – Main historical checkpoints and politicized decoys Gaza Cybergang Group1 2016-2019

MD5 Hash	First seen	Filename/Decoy	Translation/Explanation	C2 server
B3a472f81f800b32fe6595f44c9bf63b	Feb 2016	برقية وزارة الخارجية التركية لسيادتكم حول موضوع هام.exe	Translation: Letter for you from the Turkish Ministry of Foreign Affairs on Russian military operations in Syria	en.gameoolines.com (185.117.72.190)
Df3f3ad279ca98f947214ffb3c91c514 e8a29c7a6f6c0140152ca8a01e336b37	March 2016	president abu mazen meetings with khaled meshaal.lha		dw.downloadtesting.com (185.117.75.105)
f9bcc21fbb40247167c8c85ed6ef56e3	March 2016	دراسة.lha		Dl.topgamse.com (45.63.97.44)
D9dbb65a42ffe0575f0e99f7498a593e	April 2016	برقية الخارجية السعودية لسيادتكم يرجي الإطلاع – مهم.exe	Translation: Saudi Foreign Affairs telegram for you, please see – important.exe	en.gameoolines.com (185.117.72.190)
221EEF8511169C0496BBC79F96E84A4A	April 2016	تقرير السعودية والمعلومات المتوفر – ونستكمل عند التوفر.exe	Translation: Report on Saudi available information, to be updated with new info upon availability	dw.downloadtesting.com (185.117.75.105)
62DF4BC3738BE5AD4892200A1DC6B59A Inside: 55d33d9da371fdfe7871f2479621444a	May 2016	معلومات عن هجوم محتمل من الحوثيين على مواقع سعودية – خاص.exe	Translation: Information on possible attack by Houthis on Saudi sites – private	dw.downloadtesting.com (185.117.75.105)
838696872F924D28B08AAAA67388202E	May 2016	عاجل المخابرات المصرية.exe	Translation: Urgent Egyptian Intelligence	dw.downloadtesting.com (185.117.75.105)
e8be9843c372d280a506ac260567bf91	May 2016	برقية وزارة الخارجية السعودية.exe	Translation: Saudi Foreign Affairs telegram.exe Message on the 34th GCC for Interior Ministers.	Wiknet.wikaba.com (104.200.67.190) Wiknet.mooo.com
55d33d9da371fdfe7871f2479621444a	May 2016	نموذج ترشيج الدورة الخاصة .rar	Translation: Form for private training selection Application for a certain legal training program for judges in the UAE	dw.downloadtesting.com (185.117.75.105)
e782610bf209e81ecc42ca94b9388580	July 2016	عاجل – مؤتمر ايران.exe	Translation: Urgent – Iran conference	dw.downloadtesting.com (185.117.75.105)
5db18ab35d29d44dda109f49d1b99f38	June 2017	פרצת פרטיות בכרום מאפשרת לאתרים להקליט אתכם ללא ידיעתכם.exe	Translation: A privacy breach in Chrome allows sites to record you without your knowledge	Wiknet.wikaba.com (104.200.67.190) wiknet.mooo.com
Dae24e4d1dfcdd98f63f7de861d95182	June 2017	مراسلات العتيبة.. وثائق ومعلومات.exe	Translation: Al Otaiba correspondence. Documents and information Explanation: Yousef Al Otaiba is the current United Arab Emirates ambassador to the United States and Minister of State. The decoy discusses leaks that were reported in 2017 of his emails.	Wiknet.wikaba.com (104.200.67.190) wiknet.mooo.com
2358dbb85a29167fa66ee6bf1a7271cd	April 2018	كتاب وزارة الخارجية الإماراتية لسيادتكم.exe	Translation: Book of the UAE MOFA for you. Explanation: Document that looks as if it comes from the UAE MOFA discussing a political meeting between GCC countries and the EU in Belgium	dw.downloadtesting.com (185.117.75.105)
10dfa690662b9c6db805b95500fc753d	Sept 2018	محضر اجتماع على الهاتف بين رئيس المكتب السياسي لحركة حماس اسماعيل هنية ورئيس المخابرات المصرية.exe	Translation: Minutes of a phone call between the head of the political bureau of Hamas Ismail Haniya and the head of Egyptian intelligence	Upload.cat (download site)
6b5946e326488a8c8da3aaec2cb6e70f	Sept 2018		Explanation: Document discusses a radio talk by Khalid ‘Abd al-Majid, head of a breakaway faction of the Palestinian Popular Struggle Front, a minor left-wing group within the Palestinian Liberation Organization. He talks about an agreement between al-Nusra and ISIS militants to leave the Palestinian Yarmouk camp in Syria.	Wiknet.wikaba.com (192.169.7.250) Wiknet.mooo.com
342a4d93df060289b2d8362461875905	Oct 2018	تسريب من داخل القنصلية السعودية حول مقتل جمال خاشقجي.exe	Translation: Leak from the Saudi consulate on the death of Jamal Khashoggi	Time-loss.dns05.com (192.169.7.250)
c9cae9026ee2034626e4a43cfdd8b192	Jan 2019	محضر اجتماع السفير القطري العمادي مع الوفد المصري في رام الله .exe	Translation: Minutes of meeting of Qatari Ambassador Emadi with the Egyptian delegation in Ramallah	Time-loss.dns05.com (192.169.7.250) dji-msi.2waky.com

Appendix II – Indicators of compromise