A lesser-known threat actor group named WIRTE has been found to be active since 2019. While the group is touted to have relations with the Gaza threat actor gang, the intrusion process appears to be similar to the MuddyWater group.
Who are the targets?
- According to Kaspersky’s Securelist threat report, the threat actor has targeted a majority of industries in the Middle East. The affected entities are located in Armenia, Cyprus, Egypt, Jordan, Lebanon, Palestine, Syria, and Turkey.
- The variety of verticals include diplomatic and financial organizations, government, law firms, military organizations, and technology companies.
Assessing threat actor’s intrusion process
- The initial attack process begins with spear-phishing emails written in the Arabic language, occasionally associated with Palestinian matters.
- These emails include documents, which if opened, cause the execution of VB script macros designed to download the payload, which in one case was named Ferocious dropper.
- In some cases, researchers also observed a fake Kaspersky Update executable acting as a dropper for the VBS implant.
Evasion techniques modified
- Since its inception, WIRTE modified its toolset to remain stealthy for a longer period of time.
- Living-off-the-Land (LotL) is one such technique added recently to its toolset.
- This suspected subgroup of Gaza cybergang had used this effective method to compromise its victims with better OpSec than its suspected counterparts.
Conclusion
It is quite interesting to note that WIRTE operators are using simple and common TTPs to stay under the radar for a long time. However, researchers indicate that this alleged new subgroup of the Gaza cybergang is likely to expand its presence in cyberspace by using updated and stealthier TTPs.
Source: https://cyware.com/news/wirte-apt-campaign-active-since-2019-058761e4
