November 23, 2024
Hamas-Affiliated WIRTE Employs SameCoin Wiper in Disruptive Attacks Against Israel
A threat actor affiliated with Hamas has expanded its malicious cyber operations beyond espionage to carry out disruptive attacks that exclusively target Israeli entities. The activity, linked to a group called WIRTE, has also targeted the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt, Check Point said in an analysis. "The [Israel-Hamas] conflict has not disrupted the WIRTE's

Nov 13, 2024Ravie LakshmananThreat Intelligence / Cyber Espionage

A threat actor affiliated with Hamas has expanded its malicious cyber operations beyond espionage to carry out disruptive attacks that exclusively target Israeli entities.

The activity, linked to a group called WIRTE, has also targeted the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt, Check Point said in an analysis.

“The [Israel-Hamas] conflict has not disrupted the WIRTE’s activity, and they continue to leverage recent events in the region in their espionage operations,” the company said. “In addition to espionage, the threat actor recently engaged in at least two waves of disruptive attacks against Israel.”

WIRTE is the moniker assigned to a Middle Eastern advanced persistent threat (APT) that has been active since at least August 2018, targeting a broad spectrum of entities across the region. It was first documented by the Spanish cybersecurity company S2 Grupo.

The hacking crew is assessed to be part of a politically motivated group called the Gaza Cyber Gang (aka Molerats and TA402), the latter of which is known for using tools like BarbWire, IronWind, and Pierogi in its attack campaigns.

“This cluster’s activity has persisted throughout the war in Gaza,” the Israeli company said. “On one hand, the group’s ongoing activity strengthens its affiliation with Hamas; on the other hand, it complicates the geographical attribution of this activity specifically to Gaza.”

WIRTE’s activities in 2024 have been found to capitalize on the geopolitical tensions in the Middle East and the war to craft deceptive RAR archive lures that lead to the deployment of the Havoc post-exploitation framework. Alternate chains observed prior to September 2024 have leveraged similar RAR archives to deliver the IronWind downloader.

Both these infection sequences employ a legitimate executable to sideload the malware-laced DLL and display to the victim the decoy PDF document.

Check Point said it also observed a phishing campaign in October 2024 targeting several Israeli organizations, such as hospitals and municipalities, in which emails were sent from a legitimate address belonging to cybersecurity company ESET’s partner in Israel.

“The email contained a newly created version of the SameCoin Wiper, which was deployed in attacks against Israel earlier this year,” it said. “In addition to minor changes in the malware, the newer version introduces a unique encryption function that has only been […] found in a newer IronWind loader variant.”

Besides overwriting files with random bytes, the most recent version of the SameCoin wiper modifies the victim system’s background to display an image bearing the name of Al-Qassam Brigades, the military wing of Hamas.

SameCoin is a bespoke wiper that was uncovered in February 2024 as used by a Hamas-affiliated threat actor to sabotage Windows and Android devices. The malware was distributed under the guise of a security update.

The Windows loader samples (“INCD-SecurityUpdate-FEB24.exe”), according to HarfangLab, had their timestamps altered to match October 7, 2023, the day when Hamas launched its surprise offensive on Israel. The initial access vector is believed to be an email impersonating the Israeli National Cyber Directorate (INCD).

“Despite ongoing conflict in the Middle East, the group has persisted with multiple campaigns, showcasing a versatile toolkit that includes wipers, backdoors, and phishing pages used for both espionage and sabotage,” Check Point concluded.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.