Home>Blog>The Hacker News Headlines>WIRTE Hacker Group Targets Government, Law, Financial Entities in Middle East
The Hacker News Headlines

WIRTE Hacker Group Targets Government, Law, Financial Entities in Middle East

WIRTE Hacker Group

Government, diplomatic entities, military organizations, law
firms, and financial institutions primarily located in the Middle
East have been targeted as part of a stealthy malware campaign as
early as 2019 by making use of malicious Microsoft Excel and Word
documents.

Russian cybersecurity company Kaspersky attributed the attacks
with high confidence to a threat actor named WIRTE, adding the
intrusions involved “MS Excel droppers that use hidden spreadsheets
and VBA macros to drop their first stage implant,” which is a
Visual Basic Script (VBS) with functionality to amass system
information and execute arbitrary code sent by the attackers on the
infected machine.

An analysis of the campaign as well as the toolset and methods
employed by the adversary has also led the researchers to conclude
with low confidence that the WIRTE group[1]
has connections to another politically motivated collective called
the Gaza Cybergang[2]. The affected entities
are spread across Armenia, Cyprus, Egypt, Jordan, Lebanon,
Palestine, Syria, and Turkey.

Automatic GitHub Backups

“WIRTE operators use simple and rather common TTPs that have
allowed them to remain undetected for a long period of time,”
Kaspersky researcher Maher Yamout said[3]. “This suspected
subgroup of Gaza Cybergang used simple yet effective methods to
compromise its victims with better OpSec than its suspected
counterparts.”

The infection sequence observed by Kaspersky involves decoy
Microsoft Office documents deploying Visual Basic Script (VBS),
potentially delivered through spear-phishing emails that
purportedly relate to Palestinian matters and other trending topics
that are tailored to the targeted victims.

The Excel droppers, for their part, are programmed to execute
malicious macros[4]
to download and install a next-stage implant named Ferocious on
recipients’ devices, while the Word document droppers make use of
VBA macros to download the same malware. Composed of VBS and
PowerShell scripts, the Ferocious dropper leverages a
living-off-the-land (LotL[5]) technique called
COM hijacking[6]
to achieve persistence and triggers the execution of a PowerShell
script dubbed LitePower.

Prevent Data Breaches

This LitePower, a PowerShell script, acts as a downloader and
secondary stager that connects to remote command-and-control
servers located in Ukraine and Estonia — some of which date back to
December 2019 — and awaits further commands that could result in
the deployment of additional malware on the compromised
systems.

“WIRTE modified their toolset and how they operate to remain
stealthy for a longer period of time. Living-off-the-land (LotL)
techniques are an interesting new addition to their TTPs,” Yamout
said. “Using interpreted language malware such as VBS and
PowerShell scripts, unlike the other Gaza Cybergang subgroups, adds
flexibility to update their toolset and avoid static detection
controls.”

References

  1. ^
    WIRTE
    group     (lab52.io)
  2. ^
    Gaza
    Cybergang     (securelist.com)
  3. ^
    said
    (securelist.com)
  4. ^
    macros
    (support.microsoft.com)
  5. ^
    LotL
    (encyclopedia.kaspersky.com)
  6. ^
    COM
    hijacking     (attack.mitre.org)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.