Researchers warn that a cyberespionage actor that targets government entities in the Middle East and North Africa and is generally aligned with Palestinian interests has changed its infection chain tactics three times in recent months. The group is known for targeting a very small number of organizations in every campaign to deliver a custom malware implant dubbed IronWind.
Tracked as TA402 by security firm Proofpoint since 2020, the group’s attacks and techniques overlap with third-party reports attributing the activity to Molerats, Gaza Cybergang, Frankenstein, and WIRTE, so these might be different names for the same group.
“As of late October 2023, Proofpoint researchers had not observed any changes in targeting by TA402, an APT group that historically has operated in the interests of the Palestinian Territories, nor identified any indications of an altered mandate despite the current conflict in the region,” the Proofpoint researchers said in a new report. “It remains possible that this threat actor will redirect its resources as events continue to unfold.”
Malware delivered via Microsoft PowerPoint Add-ins, XLL and RAR attachments
TA402 attacks start with spear-phishing emails sent from compromised email accounts of legitimate entities. In some of its recent campaigns, the group used an email account from a country’s Ministry of Foreign Affairs to send emails with a lure in Arabic that translates to “Economic cooperation program with the countries of the Gulf Cooperation Council 2023-2024.” The targets were other Middle Eastern government entities.
In previous campaigns observed during 2021 and 2022, the group’s phishing emails contained links that took users through a redirect script that checked their IP address location. Intended targets were served a RAR archive file that contained a malware program called NimbleMamba while those whose IP address location didn’t match the targeted area were redirected to a legitimate news site.
In new campaigns seen in July attackers included links in their emails that directed victims to download a malicious Microsoft PowerPoint add-in (PPAM) file from Dropbox. The following month the attackers changed their lure to “List of persons and entities (designated as terrorists) by the Anti-Money Laundering and Terrorist Financing Authority” and attached an XLL (Excel add-in) file directly to the email. In October the group shifted delivery tactics again and included malicious RAR attachments instead of XLL, while the lure was changed to “Report and Recommendations of the 110th Session on the War on Gaza.”
The IronWind malware implant
All the recent campaigns delivered an initial access malware implant that the Proofpoint researchers dubbed IronWind. However, based on debugging paths left in the code, the malware creators named their project Tornado.
The malicious attachments usually deploy three files: version.dll (IronWind), timeout.exe and gatherNetworkInfo.vbs. Timeout.exe is a legitimate file vulnerable to DLL sideloading that’s being used to sideload IronWind. Once the malware implant is active, it contacts a command-and-control (C2) server hosted by the attackers, which is a departure from the group’s previous technique of using cloud services like the Dropbox API for C2. The control server sends back malicious shellcode that represents the third stage of the infection chain.
The shellcode then downloads multiple executables written in .NET that are used to perform queries through the WMI (Windows Management Instrumentation) interface, as well as a multipurpose malware loader — a .NET executable that uses SharpSploit, a .NET post-exploitation library written in C#.
The .NET executable continued to make requests to the C2 server using a custom UserAgent string as authentication and looked for additional shellcode payloads to execute. The researchers did not see any additional infection stage to analyze at this time, but the group might be in the process of making improvements to the implant.
“TA402 remains a persistent and innovative threat actor that routinely retools its attack methods and malware in support of its cyber espionage mandate,” the Proofpoint researchers said. “Its ongoing use of geofencing and decoy documents continues to serve its detection evasion efforts. While TA402 is an intelligence collection focused threat actor with a specific interest in Middle Eastern and North African government entities, the group could find itself under direction to adjust its targeting or social engineering lures in reaction to the ongoing Israel-Hamas conflict.”
Advanced Persistent Threats, Cyberattacks, Phishing