Cyberattacks in the Middle East have typically been carried out by cybercriminals targeting the primary sectors of governments such as oil and gas sectors and other key industries, however, since 2019, a conspiratorial malware campaign is targeting the middle east region that used malicious Microsoft Excel and Word documents to victimize government and its important organs such as military groups, diplomatic agencies, law firms, and financial institutions mainly based in the Middle East.
Russian cybersecurity company Kaspersky has investigated and confirmed that the state-sponsored hacking group, 'WIRTE' is behind the attacks. The earlier investigation done by Kaspersky researchers disclosed the method of targeting by the WIRTE group. “MS Excel droppers that use hidden spreadsheets and VBA macros to drop their first stage implant”, which is a Visual Basic Script (VBS) with functionality to amass system information and execute malicious code sent by the hackers on the vulnerable system.
The cyber security researchers at Kaspersky have shown some possibilities after analyzing the campaign as well as the adversary’s toolset and methodology that the WIRTE group has links with other state-sponsored cyber groups known as the Gaza Cyber gang. Furthermore, Armenia, Cyprus, Egypt, Jordan, Palestine, Syria, Lebanon, and Turkey are among the countries that were affected.
"WIRTE operators use simple and rather common TTPs that have allowed them to remain undetected for a long period of time. This suspected subgroup of the Gaza Cyber gang used simple yet effective methods to compromise its victims with better OpSec than its suspected counterparts," Kaspersky researcher Maher Yamout said.
"WIRTE modified their toolset and how they operate to remain stealthy for a longer period of time. Living-off-the-land (LotL) techniques are an interesting new addition to their TTPs. Using interpreted language malware such as VBS and PowerShell scripts, unlike the other Gaza Cyber gang subgroups, adds flexibility to update their toolset and avoid static detection controls," Yamout added.
