Researchers have detailed the activity of a threat actor named WIRTE that is targeting government, diplomatic entities, military organizations, law firms, and financial institutions in Middle East.
The group is a politically motivated threat actor linked to the Gaza Cybergang. Other victims targeted by the group are in Armenia, Cyprus, Egypt, Jordan, Lebanon, Palestine, Syria, and Turkey.
The group launched spear phishing campaigns using weaponized Microsoft Office documents to deploy VBS/VBA implants. The weaponized Excel documents acted as droppers that use hidden spreadsheets and VBA macros to deliver a first stage implant, which is a VBS. The VBS implant is a script that collects system information and executes arbitrary code on the infected machine.
The first stage implant also downloads and installs a next stage dropper named Ferocious that leverages a LotL technique called COM hijacking to achieve persistence and and execute another PowerShell script dubbed LitePower Stager
The LitePower stager is a small PowerShell implant that acts as a downloader and secondary stager used to execute commands sent by the C2, it also allow to download and deploy further malware. The experts were able to locate C2 servers in Ukraine and Estonia.
With initial sample analysis, the C2 domain we observed was stgeorgebankers[.]com. After conducting pivots through malware samples, we were able to identify multiple C2 domains that date back to at least December 2019.These C2 domains were occasionally behind CloudFlare to obscure the real C2 IP address. Thanks to collaboration with our partners, we were able to gather some of the original C2 IP addresses, which allowed us to discover that the servers are hosted in Ukraine and Estonia.
WIRTE operators remain under the radar for a long period of time, the attacks against law firms and financial institutions represent an important switch for a group that is politically motivated.