As already seen with the conflict between Russia and Ukraine, malware and cyber attacks are now an integral part of any war scenario.
In this sense, therefore, the recent crisis in the Middle East is also fertile ground for cybercriminali. Apparently, in fact, government bodies in the countries of the aforementioned region have been targeted by various campaigns phishingspecifically designed to spread a new malware named IronWind.
The malicious agent in question, first identified by Proofpointwas attributed to the group known as TA402 (but also with names Grinded e Gaza Cyber Gang). The cybercriminal collective, it seems, has a close connection with APT-C-23a pro-Hamas hacker team already known to cybersecurity experts.
Joshua Miller, Senior Threat Researcher at Proofpoint wanted to delve deeper into the geographic origin of IronWind. For the expert, in fact “When it comes to state-aligned threat actors, North Korea, Russia, China and Iran generally garner the lion’s share of attention“.
He then clarified how TA402 is a group historically linked to the Palestinian territories and how it is capable of operating with highly refined and dangerous espionage operations.
IronWind and APT-C-23 are the spearhead of Middle Eastern cybercrime
According to expert research, malware is distributed through different vectors such as:
- XLL file attachments;
- RAR Archives;
- link a file Dropbox.
This all happens by exploiting different diffusion strategies as well as different obfuscation techniques, such as some practices geofencing.
Il downloader that is offered to potential victims is designed to contact the attacker’s server, downloading further payload. Among them, one undoubtedly stands out post-exploitation toolkit very dangerous called SharpSploit.
Cisco Talos, through further investigation, revealed that TA402 is also carrying out other criminal activities. The same group, in fact, was observed exploiting the “Release scores” of the quizzes of Google Forms to send emails and organize elaborate scams cryptocurrency.