Show vulnerabilities with patch / with exploit
13 February 2020

Hamas-linked hackers target victims in Palestinian territories


Hamas-linked hackers target victims in Palestinian territories

A new cyber-espionage campaign has been uncovered in the Middle East which is directed at entities and individuals in the Palestinian territories. The attacks are believed to be the work of a group known as MoleRATs (The Gaza Cybergang), an Arabic-speaking threat actor that has been operating in the Middle East since 2012.

According to the Boston-based cybersecurity company Cybereason, there are two separate campaigns happening simultaneously. One of them dubbed “The Spark Campaign” attempts to infect targets (mainly from the Palestinian territories) with the Spark backdoor using social engineering. The campaign lures victims with content related to recent geopolitical events, namely the Israeli-Palestinian conflict, the assassination of Qasem Soleimani, and the ongoing conflict between Hamas and Fatah Palestinian movements.

If victims open the emails and attached malicious files that come in the form of Microsoft Office documents, .PDF, and archive files, an additional archive file from Egnyte or Dropbox is dropped on the system. This archive contains an executable which is the Spark backdoor dropper.

To stay hidden from security solutions the creators of the Spark backdoor use several techniques. More specifically, they the malware with a powerful commercial tool called Enigma Packer and implement language checks to ensure the victims are Arabic speaking to minimize the risk of detection and infection of unwanted victims.

The second campaign which the researchers called “The Pierogi Campaign” also leverages social engineering tricks to infect victims, but in this case the payload is a new, undocumented RAT dubbed Pierogi. First discovered in December 2019, this RAT allows the attackers to spy on victims. The researchers believe that the Pierogi backdoor is not custom-made, but rather obtained by the MoleRATs group in underground communities. Also, the Cybereason found evidence in the code (the Ukranian language embedded in the backdoor) indicating that the malware may have been developed by Ukranian-speaking hackers.


Back to the list

Latest Posts

Vulnerability summary for the week: April 3, 2020

Vulnerability summary for the week: April 3, 2020

Weekly vulnerability digest.
3 April 2020
Someone’s wiped out over 15,000 unprotected Elasticsearch servers

Someone’s wiped out over 15,000 unprotected Elasticsearch servers

The attacks have started around March 24 and appear to be carried out using an automated script.
3 April 2020
DarkHotel hackers exploited flaws in Firefox and IE in attacks on China, Japan

DarkHotel hackers exploited flaws in Firefox and IE in attacks on China, Japan

In the attacks the hackers downloaded the Gh0st RAT on victims' machines.
3 April 2020