Gaza cybergang, where’s your IR team?

Gaza cybergang is a politically motivated Arabic cybercriminal group operating in the MENA (Middle East North Africa) region, targeting mainly Egypt, United Arab Emirates and Yemen. The group has been operating

Gaza cybergang is a politically motivated Arabic cybercriminal group operating in the MENA (Middle East North Africa) region, targeting mainly Egypt, United Arab Emirates and Yemen. The group has been operating since 2012 and became particularly active in Q2 2015.

One interesting new fact about Gaza cybergang activities is that they are actively sending malware files to IT (Information Technology) and IR (Incident Response) staff; this is also obvious from the file names they are sending to victims, which reflect the IT functions or IR tools used in cyber attack investigations.

IT people are known for having more access and permissions inside their organizations than other employees, mainly because they need to manage and operate the infrastructure. This is why getting access to their devices could be worth a lot more than for a normal user.

IR people are also known for having access to sensitive data related to ongoing cyber investigations in their organizations, in addition to special access and permissions enabling them to hunt for malicious or suspicious activities on the network…

The main infection modules used by this group are pretty common RATs: XtremeRAT and PoisonIvy

Some more interesting facts about Gaza cybergang:

  • Attackers take an interest in government entities, especially embassies, where security measures and IT operations might not be well established and reliable
  • Use of special file names, content and domain names (e.g. gov.uae.kim), has helped the group perform better social engineering to infect targets
  • Increasing interest in targeting IT and IR people, which is clear from most of the recent malware file names used

Other operation names:

  • DownExecute
  • MoleRATs

Kaspersky Lab products and services successfully detect and block attacks by Gaza team.

Political file names targeting Arabic countries

File name: بوادر خلاف جديد بين الامارات والسعودية.exe

Translation: Indications of disagreement between Saudi Arabia and UAE.exe

gaza_cybergang_1-1024x753

Filename: “Wikileaks documents on Sheikh ******* *** *****.exe”

gaza_cybergang_2-1024x496

File name: صور فاضحـــــة جدا لبعض العسكريين والقضاة والمستشاريين المصريين.exe

Translation: Scandalous pictures of Egyptian militants, judges and consultants

gaza_cybergang_3-1024x670

File name: Majed-Abaas.zip -> الرئيس الفلسطيني محمود عباس يشتم ماجد فرج.exe

Translation: President Mahmoud Abbas cursing Majed Faraj.exe

File name: “مكالمة مسربة بين القائد العام للقوات المسلحة المصرية صدقي صبحي.exe”

Translation: Leaked conversation with the Egyptian leader of military forces Sodqi Sobhi.exe

File name: tasreb.rar

IT and IR Malware File Names

VCSExpress.exe Hex.exe
Microsoft Log.exe IMP.exe
Win.exe Corss.exe
WinRAR.exe AVR.exe
ccleaner.exe codeblocks.exe
HelpPane.exe Hex_Workshop_Hex_Editor-o.exe
Help.exe Decoded.exe
vmplayer.exe Decrypted.exe
procexp.exe crashreporter.exe
RE.exe WindowsUpdate.exe
PE.exe AVP.exe
PE-Explorr.exe Kaspersky.exe
PE-Explorr.exe Kaspersky.exe
hworks32.exe Kaspersky Password Manager.exe

gaza_cybergang_41

Other malware file names

abc.exe
News.exe
Sky.exe
SkyC.exe
Skype.exe
Skypo.exe
وصية وصور الوالد أتمنى الدعاء له بالرحمة والمغفرة.exe
Secret_Report.exe

Military Police less military sexual offenses, drug offenses more.exe

gaza_cybergang_511

Phishing

http://google.com.*****/new/index.php?Email=FL1-08-2015@gmail.com

http://google.com.*****/new/g.htm?Email=sharq-2014-12-31@gmail.com

http://google.com.*****/new/index.php?Email=2014-12-04@gmail.com

http://googlecom*****/new/index.php?Email=yemen-22-01-2015@hotmail.com

gaza_cybergang_6-1002x1024

More details about IP addresses and domain names used in the attacks can be found at Securelist report.

Tips