Kaspersky Lab unveiled a cyber espionage campaign organized by the politically motivated Arab-speaking gaza group that operates in the countries of the Middle East and North Africa.
The campaign, which showed the most activity in April-November 2018, turned out to be very effective, despite the fact that very simple and inexpensive tools were used to carry it out: the infection occurred through regular phishing mailings. About 240 people and organizations in 39 countries with political interests in the Middle East, including government departments, political parties, embassies, diplomatic missions, news agencies, educational and medical institutions, banks, contractors, civil society activists and journalists, were killed in the campaign. . The largest number of attacks is in the Palestinian territories, in Jordan, Israel and Lebanon.
This campaign was called SneakyPastes – from the English verbs paste (paste text from the buffer) and sneak (to slip unnoticed), because the attackers actively used websites that allow you to quickly distribute text files (pastebin.com, github.com, mailimg.com, upload. cat, dev-point.com, and pomf.cat) to sneak a trojan for remote access into the system. This malware communicated with the command server, and then combined, compressed, encrypted and sent to its operators a wide range of stolen documents.
In their attacks, the Gaza group uses methods and tools of different levels of complexity, and Kaspersky Lab experts distinguish at least three subgroups: Operation Parliament , known since 2018, Desert Falcons , known since 2015, and MoleRats, which began its activity no later than 2012. All of them pursue similar goals, but use different tools and techniques to achieve them, which they partially share with each other.
As part of the SneakyPastes campaign, the group conducts multi-stage attacks. They start with classic phishing, and it uses letters from one-time addresses and one-time domains (including bit-degree.com, mail4gmail.com, careless-whisper.com). Sometimes letters contain only references to malware, and sometimes infected files are attached directly to the letter. If the victim launches such a file (or follows the link), the device will have the first stage malicious program that launches the infection chain.
The letters of the intruders themselves, who must put down the reader’s vigilance, are most often messages on political topics. These are either some protocols of negotiations of politicians, or fake messages from respected organizations. Examples of such letters can be found in the report of experts.
By infecting the victim’s computer with the first-stage malware, the attackers seek to gain a foothold on the device, hide their presence from protective solutions, and secure the command server as much as possible. As mentioned above, they rely on public services, such as Pastebin and GitHub, to organize the next stages of the attack (including the delivery of malware), and most importantly, to communicate with the command server.
As a result, the device of the victim is installed RAT with ample opportunities. Among other things, this malware can easily download and upload files, launch applications, search for documents and encrypt information. So, RAT finds all documents of the PDF, DOC, DOCX and XLSX formats on the victim’s computer, stores them in folders for temporary files, and then classifies them, archives, encrypts and in this form through a chain of domains, sends them to the command server.