Gaza Cybergang upgrades its tools to target Governments

David Emm, Security Expert at Kaspersky Lab
David Emm, Security Expert at Kaspersky Lab
7 years ago

In 2015, Kaspersky Lab researchers reported the Gaza Team Cybergang’s activity after seeing a significant shift in its malicious operations. On this occasion, the attackers were spotted targeting IT and incident response personnel in an attempt to gain access to legitimate security assessment tools and significantly decrease visibility of their activity in the attacked networks. In 2017, Kaspersky Lab researchers have captured another surge of Gaza Cybergang activity.

The target profile and geography remain unchanged in these new attacks, but the scale of Gaza Team’s operations has expanded. The actor has been spotted seeking out any type of intelligence across the MENA region, which was not previously the case. What is more important: the attack tools have become more sophisticated – with the group developing topical, geopolitical spearphishing documents that are used to deliver malware to targets, and using exploits to a relatively recent vulnerability, CVE 2017-0199 in Microsoft Access, and potentially even Android spyware.

The intruders perform their malicious activities by sending emails containing various RATs (Remote Access Trojans) in fake office documents, or URLs to a malicious page. When these are executed, the victim is infected with malware that subsequently enables the attackers to collect files, keystrokes and screenshots from the victim’s devices. If the victim detects the initially downloaded malware, the downloader tries to install other files on the victim’s device in an attempt to bypass detection.

Further Kaspersky Lab investigation suggests the potential use of mobile malware by the hacking group: some of the file names found during the analysis of Gaza Team activity look to be Android Trojan-related. These upgrades in attack techniques have allowed Gaza Team to bypass security solutions and manipulate the victim’s system for prolonged periods.

“Due to significant improvements in the group’s techniques, we expect the quantity and quality of Gaza Cybergang attacks to intensify in the near future. People and organizations which fall into their target scope should be more cautious when online,” said David Emm, Security Expert at Kaspersky Lab. Kaspersky Lab products successfully detect and block attacks conducted using these techniques.