Kaspersky Lab warns about the activity of an Arabic-speaking cyber-criminal group given the name ‘The Gaza cyber-gang’ by the cybersecurity experts. It is operating in the Middle East and North Africa (MENA) region, mainly in Egypt, the United Arab Emirates and Yemen. The group has been operating since 2012 and became particularly active in the second and third quarters of 2015. The attackers focus on government entities, especially embassies, and primarily target information technology (IT) and incident response (IR) staff.
The Gaza cyber-gang actively sends malware files to IT and IR staff. IT personnel are known to have more access and permissions inside their organisations than other employees, mainly because they need to manage and operate the infrastructure. As a result gaining access to their devices can be worth far more to the cyber-criminals than those of normal users in the corporate network. Likewise, individuals working within IR are prime targets as they also have access to a wealth of sensitive data relating to ongoing cyber investigations within their organisations, as well as special access and permissions enabling them to hunt for malicious or suspicious activities on the network.
Despite the fact they are targeting high-level entities such as government bodies, the Gaza team uses well-known remote administration tools (RAT) – XtremeRAT and PoisonIvy – spreading infections via phishing scams. Using simple infection tools, they successfully hit their targets with crafted social engineering tricks, using special file names, content and domain names (e.g. gov.uae.k*m) that help the group in their hunt for targets. Examples of file names that have delivered malware to a victim’s machine, include:
- “Indications of disagreement between Saudi Arabia and UAE.exe”,
- “Wikileaks documents on Sheikh.exe”,
- “Scandalous pictures of Egyptian militants, judges and consultants”,
- “President Mahmoud Abbas cursing Majed Faraj.exe”,
- “Leaked conversation with the Egyptian leader of military forces Sodqi Sobhi.exe”,
- “Secret_Report.exe”,
- “Military Police less military sexual offenses, drug offenses more.exe”
“According to the list of targets, which includes government entities in the Middle East and North Africa region, we’re witnessing politically motivated cyber-attacks. By gaining control of computers with greater access to the system, the cyber-criminals increase their chances of stealing valuable information and are much more likely to cause significant damage. As attribution is the most complicated – often impossible – task when analysing a malicious cyber-campaign, we don’t as yet know who is behind it,” says Mohammad Amin Hasbini, Senior Security Researcher, Global Research & Analysis Team, Kaspersky Lab.
In order to reduce the risk of being infected by the group’s malicious tools, Kaspersky Lab experts recommend the following measures:
- Be wary of emails with attachments;
- Keep software updated, especially software that is widely used and often exploited by cyber-criminals;
- If you are aware of any vulnerabilities in the software on your device but there is no patch for it yet, avoid using this software;
- Use a proven anti-malware solution.
To find out more, please read the related blog post available at Securelist.com.
