A new cyber-espionage campaign has been uncovered in the Middle East which is directed at entities and individuals in the Palestinian territories. The attacks are believed to be the work of a group known as MoleRATs (The Gaza Cybergang), an Arabic-speaking threat actor that has been operating in the Middle East since 2012.

According to the Boston-based cybersecurity company Cybereason, there are two separate campaigns happening simultaneously. One of them dubbed “The Spark Campaign” attempts to infect targets (mainly from the Palestinian territories) with the Spark backdoor using social engineering. The campaign lures victims with content related to recent geopolitical events, namely the Israeli-Palestinian conflict, the assassination of Qasem Soleimani, and the ongoing conflict between Hamas and Fatah Palestinian movements.

If victims open the emails and attached malicious files that come in the form of Microsoft Office documents, .PDF, and archive files, an additional archive file from Egnyte or Dropbox is dropped on the system. This archive contains an executable which is the Spark backdoor dropper.

To stay hidden from security solutions the creators of the Spark backdoor use several techniques. More specifically, they the malware with a powerful commercial tool called Enigma Packer and implement language checks to ensure the victims are Arabic speaking to minimize the risk of detection and infection of unwanted victims.

The second campaign which the researchers called “The Pierogi Campaign” also leverages social engineering tricks to infect victims, but in this case the payload is a new, undocumented RAT dubbed Pierogi. First discovered in December 2019, this RAT allows the attackers to spy on victims. The researchers believe that the Pierogi backdoor is not custom-made, but rather obtained by the MoleRATs group in underground communities. Also, the Cybereason found evidence in the code (the Ukranian language embedded in the backdoor) indicating that the malware may have been developed by Ukranian-speaking hackers.