Ethical Hacking News
A Hamas-affiliated group known as WIRTE has expanded its malicious activities beyond espionage to carry out disruptive attacks against Israeli entities, targeting other countries in the region. The threat actor's use of sophisticated malware tools, including the SameCoin wiper, highlights the need for increased vigilance and cooperation between countries to counter these types of threats.
The WIRTE group, affiliated with Hamas, has expanded its malicious activities beyond espionage to carry out disruptive attacks. The group's actions have targeted Israel and other countries in the region, including the Palestinian Authority and Saudi Arabia. The WIRTE group is linked to malware tools such as BarbWire, IronWind, and Pierogi, and has been associated with the Gaza Cyber Gang. The SameCoin wiper, a bespoke malware, was used in attacks against Israel, including overwriting files with random bytes and displaying an image bearing the name of Hamas' military wing. The group's phishing campaign targeted Israeli organizations, including hospitals and municipalities, by sending emails from a legitimate address.
In a recent development that has raised concerns among cybersecurity experts, it has been revealed that a Hamas-affiliated group known as WIRTE has expanded its malicious activities beyond espionage to carry out disruptive attacks against Israeli entities. The threat actor's actions have also targeted other countries in the region, including the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt.
The WIRTE group is assessed to be part of a politically motivated group called the Gaza Cyber Gang (aka Molerats and TA402), which has been linked to various malware tools such as BarbWire, IronWind, and Pierogi. The group's activities have persisted throughout the war in Gaza, strengthening its affiliation with Hamas.
According to Check Point, a cybersecurity company that analyzed the WIRTE group's activities, the threat actor recently engaged in at least two waves of disruptive attacks against Israel. These attacks were carried out using the SameCoin wiper, which is a bespoke malware that was uncovered in February 2024 as used by a Hamas-affiliated threat actor to sabotage Windows and Android devices.
The SameCoin wiper is a sophisticated piece of malware that overwrites files with random bytes, modifies the victim system's background to display an image bearing the name of Al-Qassam Brigades, the military wing of Hamas, and introduces a unique encryption function that has only been found in a newer IronWind loader variant.
The group's phishing campaign in October 2024 targeted several Israeli organizations, including hospitals and municipalities, by sending emails from a legitimate address belonging to cybersecurity company ESET's partner in Israel. The email contained a newly created version of the SameCoin wiper, which was deployed in attacks against Israel earlier this year.
Despite ongoing conflict in the Middle East, the WIRTE group has persisted with multiple campaigns, showcasing a versatile toolkit that includes wipers, backdoors, and phishing pages used for both espionage and sabotage. Check Point concluded that "the [Israel-Hamas] conflict has not disrupted the WIRTE's activity, and they continue to leverage recent events in the region in their espionage operations."
The group's activities have raised concerns among cybersecurity experts, who emphasize the need for increased vigilance and cooperation between countries to counter these types of threats.
In light of this development, it is essential to understand the nature of the threat actor and its tactics, as well as the measures that can be taken to mitigate its impact. The following section provides an in-depth analysis of the WIRTE group's activities and offers insights into how to protect against such threats.
Related Information:
https://thehackernews.com/2024/11/hamas-affiliated-wirte-employs-samecoin.html
https://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government
https://www.darkreading.com/threat-intelligence/molerats-group-wields-custom-cybertool-to-steal-secrets-in-the-middle-east
https://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east
Published: Wed Nov 13 10:33:40 2024 by llama3.2 3B Q4_K_M