Threat Research

Hamas-Linked WIRTE Expands Middle East Operations with Disruptive Activities

Checkpoint

Summary:

Check Point Research has identified ongoing activities of the WIRTE threat actor, linked to Hamas, which continues its espionage and disruptive operations in the Middle East despite regional conflicts. The group has evolved its tactics, utilizing custom malware and phishing campaigns targeting entities in various countries, including Israel.

Keypoints:

  • WIRTE is a Middle Eastern APT group active since at least 2018, primarily known for politically motivated cyber-espionage.
  • Recent activities have expanded to include disruptive attacks, particularly against Israeli entities.
  • Custom malware used by WIRTE has ties to SameCoin, a wiper malware targeting Israel.
  • The group employs unique domain naming conventions and specific user agent filtering in its operations.
  • WIRTE’s campaigns utilize tools like IronWind for infection chains and Havoc for post-exploitation.
  • Phishing campaigns have been identified, leveraging deceptive lures related to current events in the Middle East.
  • WIRTE’s activities persist despite ongoing conflicts, indicating a strong affiliation with Hamas.

MITRE Techniques

  • Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
  • Execution (T1203): Exploits vulnerabilities in software to execute malicious code.
  • Credential Dumping (T1003): Collects credentials from compromised systems.
  • Data Encrypted for Impact (T1486): Encrypts data to disrupt access to systems and information.
  • Phishing (T1566): Uses deceptive emails to trick users into executing malicious payloads.

IoC:

  • Domains: saudiday[.]org, jordansons[.]com, egyptican[.]com, healthcarb[.]com, inclusive-economy[.]com, master-dental[.]com, bankjordan[.]com, egyptskytours[.]com, jordanrefugees[.]com, egypttourism-online[.]com, healthoptionstoday[.]com, healthscratches[.]com, theshortner[.]com
  • IP Addresses: 185.158.248[.]161, 193.168.141[.]29, 140.99.164[.]56, 160.119.251[.]181, 188.92.78[.]148, 213.252.244[.]234, 80.77.25[.]49, 193.168.141[.]61, 37.120.247[.]100, 185.225.70[.]168
  • Hashes: b7c5af2d7e1eb7651b1fe3a224121d3461f3473d081990c02ef8ab4ace13f785

Full Research: https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/

Tags: full, CREDENTIAL, APT, PHISHING, IMPACT