Government entities in the Middle East are the target of new phishing campaigns designed to provide a new initial download access called Iron wind.
The event, noticed between July and October 2023, has been done attributed by Proofpoint of a threat actor it tracks under the name TA402also known as Molerat, Gaza Cyber Gang, and parts tactical overlaps along with a pro-Hamas hacking crew known as APT-C-23 (aka Arid Viper).
“When it comes to state threat actors, North Korea, Russia, China, and Iran generally garner the most attention,” Joshua Miller, senior threat researcher at Proofpoint, said in a statement. shared on The Hacker News.
“But TA402, a Middle Eastern advanced persistent threat (APT) group that has historically operated in the interests of the Palestinian Territories, has consistently proven to be an intriguing threat actor capable of highly sophisticated cyber espionage which focuses on intelligence gathering.”
Consistent with the use of IronWind are constant updates to the malware’s delivery mechanisms, using Dropbox links, XLL file attachments, and RAR archives to distribute IronWind.
IronWind’s use is a departure from previous attack chains, which involved the proliferation of a backdoor codenamed NimbleMamba in intrusions targeting Middle Eastern governments and policy think tanks. outside.
The latest TA402 campaigns are characterized by using a compromised email account belonging to the Ministry of Foreign Affairs to send phishing baits pointing to Dropbox links that facilitate the deployment of IronWind.
The downloader is designed to contact a server controlled by the attacker to obtain additional payloads, including a post-exploitation toolkit called SharpSploitwhich follows a multi-stage sequence.
Subsequent social engineering campaigns in August and October 2023 were found to use XLL files and RAR archive attachments attached to email messages to trigger the deployment of IronWind. Another notable tactic used by the group is the reliance on geofencing techniques to complicate identification efforts.
“The ongoing conflict in the Middle East does not appear to be hindering their ongoing operations, as they continue to innovate and use new and clever delivery methods to evade efforts to theirs,” Miller said.
“Using complex infection chains and drumming up new malware to attack their targets, TA402 continues to engage in highly targeted activity with a strong focus on government entities based in Middle East and North Africa.”
The development comes as Cisco Talos revealed that cybercriminals have been observed exploiting the “Release scores” feature of Google Forms quizzes to deliver email and orchestrate elaborate cryptocurrency scams, highlighting the creative methods of threat used by actors to achieve their goals.
“Emails originate from Google’s own servers and therefore may have an easier time bypassing anti-spam protections and finding the victim’s inbox,” security researcher Jaeson Schultz SAYS last week.