Kaspersky Lab experts are registering important changes in the operations of the infamous Gaza Team Cybergang, which is actively targeting multiple commercial and government organizations in the Middle East and Africa (MENA) region.
Kaspersky Lab experts are registering important changes in the operations of the infamous Gaza Team Cybergang, which is actively targeting multiple commercial and government organizations in the Middle East and Africa (MENA) region. While the group has been active in the threat landscape for several years, it has upgraded its arsenal in 2017 with new malicious tools.
The Gaza Team Cybergang has been attacking government embassies, diplomats and politicians as well as oil and gas organizations and the media in the MENA region on a continuous basis since at least 2012, with new malware samples detected regularly. In 2015, Kaspersky Lab researchers reported on the gang’s activity after seeing a significant shift in its malicious operations. On this occasion, the attackers were spotted targeting IT and incident response personnel in an attempt to gain access to legitimate security assessment tools and significantly decrease visibility of their activity in the attacked networks. In 2017, Kaspersky Lab researchers have captured another surge of Gaza Cybergang activity.
The target profile and geography remain unchanged in these new attacks, but the scale of Gaza Team’s operations has expanded. The actor has been spotted seeking out any type of intelligence across the MENA region, which was not previously the case. What is more important: the attack tools have become more sophisticated – with the group developing topical, geopolitical spearphishing documents that are used to deliver malware to targets, and using exploits to a relatively recent vulnerability, CVE 2017-0199 in Microsoft Access, and potentially even Android spyware.
The intruders perform their malicious activities by sending emails containing various RATs (Remote Access Trojans) in fake office documents, or URLs to a malicious page. When these are executed, the victim is infected with malware that subsequently enables the attackers to collect files, keystrokes and screenshots from the victim's devices. If the victim detects the initially downloaded malware, the downloader tries to install other files on the victim’s device in an attempt to bypass detection.
Further Kaspersky Lab investigation suggests the potential use of mobile malware by the hacking group: some of the file names found during the analysis of Gaza Team activity look to be Android Trojan-related. These upgrades in attack techniques have allowed Gaza Team to bypass security solutions and manipulate the victim’s system for prolonged periods
“The continuing activity of Gaza Team, which we have observed for several years already shows that the situation in the MENA region is far from safe when it comes to cyber espionage threats. Due to significant improvements in the group’s techniques, we expect the quantity and quality of Gaza Cybergang attacks to intensify in the near future. People and organizations which fall into their target scope should be more cautious when online,” said David Emm, security expert at Kaspersky Lab.
Kaspersky Lab products successfully detect and block attacks conducted using these techniques.
In order to prevent falling victim to such an attack, Kaspersky Lab researchers recommend implementing the following measures:
- Train staff to be able to distinguish spearphishing emails or a phishing link from legitimate emails and links;
- Use a proven corporate-grade endpoint security solution In combination with specialized protection against advanced threats, such as Kaspersky Anti Targeted Attack platform, which is capable of catching attacks by analyzing network anomalies;
- Provide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attacks research and prevention, such as Indicators of compromise (IOC) and YARA.
More details of the Gaza Cybergang campaign can be found in the Securelist blog.