A hacking organisation that appears to be affiliated with the Gaza cyber gang has been uncovered carrying out assaults with malicious Excel 4.0 macros. Since 2019, the WIRTE organisation has been targeting high-profile public and private organisations in the Middle East.
Kaspersky evaluated the campaign’s toolset and strategy and concluded with scepticism that the outfit has pro-Palestinian motivations. The organisation sends out phishing emails including Excel files that download and install malware payloads.
Malicious documents contained in phishing emails have logos and themes that imitate businesses, authorities, or the targeted company. The Excel dropper executes many formulae in a concealed column to mask the original file’s ‘allow editing’ request. Soon after, a backup spreadsheet containing the decoy is revealed while avoiding any red signals. The dropper then executes formulae to conduct three anti-sandbox checks. If the command is executed, a VBS script generates a PowerShell snippet as well as two registry entries for persistence.
Financial services, legal services, government, diplomatic, military, and technology are among the areas targeted by the organisation. Armenia, Cyprus, Egypt, Jordan, Lebanon, Palestine, Syria, and Turkey are among the countries targeted by the organisation.
Researchers caution that, despite its simplicity, the WIRTE group’s TTPs are quite powerful. The group is now broadening its target market to include financial institutions and major private corporations. As a result, companies in targeted regions must be watchful against such assaults.