Security researchers from Check Point Threat Intelligence Team have discovered the comeback of an APT (advanced persistent threat) surveillance group targeting institutions across the Middle East, specifically the Palestinian Authority.

The attack, dubbed “Big Bang,” begins with a phishing email sent to targeted victims that includes an attachment of a self-extracting archive containing two files—a Word document and a malicious executable.

Posing to be from the Palestinian Political and National Guidance Commission, the Word document serves as a decoy to distract victims while the malware is installed in the background.

The malicious executable, which runs in the background, act as the first stage info-stealer malware designed for intelligence gathering to identify potential victims (on the basis of what is unclear as of now), and then it accordingly downloads the second stage malware designed for espionage.

The malware is capable of sending a lot of information from the infected machines to the attackers’ Command and Control server, including screenshots of the infected computer, a list of documents with file extensions including .doc, .odt, .xls, .ppt, .pdf and more, and logging details about the system.

Besides this, the malware also includes a few more modules to execute any file it receives from the server, enumerate running processes, terminate a running process by name, as well as send a list of partitions found on the infected machine.

The malware also includes modules to self-destruct itself by deleting the payload from the startup folder and deleting the actual file, and reboot the infected system.

Researchers believe these attacks could be related to the Gaza Cybergang APT group, an Arabic-language, politically-motivated cybercriminal group, who are operating since 2012 and targeted oil and gas organization the Middle East North African region.

However, according to the researchers, it is still not yet confirmed exactly which threat group is behind this campaign.

 

Source

https://thehackernews.com/2018/07/gaza-palestin-hacker.html