The group targets victims in Egypt, UAE, and Yemen

Sep 30, 2015 00:58 GMT  ·  By

An Arabic APT known under the names of Gaza Cybergang and Gaza Hackers Team has resurfaced with a new series of attacks targeting the MENA (Middle East North Africa) region, with increased activity in countries like Egypt, United Arab Emirates and Yemen.

The group was first spotted operating in the wild in 2012, being best known for carrying out the DownExecute and MoleRATs hacking campaigns.

As Kaspersky Lab's Global Research & Analysis Team reports, the APT has become extremely active in the second quarter of 2015.

This latter campaign, besides targeting government and embassies, seems to be specifically focused on IT (Information Technology) and IR (Incident Response) personnel.

By targeting IT and IR staff, the hackers are hoping to gain control over their accounts, which due to their job's nature, have upper administrative access, and usually span over the entire organization, not just small, compartmentalized departments.

Gaza Cybergang infects victims with basic Remote Access Tools

According to Kaspersky's team, to lure their victims into downloading and opening malicious files, the hackers are using two different methods.

The first method specifically targets IT and IR personnel and relies on naming the malicious payloads using names of popular security and recovery software. Some of the names used include Kaspersky.exe, WindowsUpdate.exe, crashreporter.exe, CCleaner.exe, Microsoft Log.exe, and codeblocks.exe.

The second is a little bit broader, and relies on files that use politically-charged names like "President Mahmoud Abbas cursing Majed Faraj.exe," "Leaked conversation with the Egyptian leader of military forces Sodqi Sobhi.exe," and "Indications of disagreement between Saudi Arabia and UAE.exe."

If these fail, the Gaza Cybergang has also been observed using basic phishing campaigns, either targeting Google credentials, or using official-looking domain names like uae.kim and gov.uae.kim.

When one of the targeted individuals falls victim to their scams, their computer is infected with common RATs (Remote Access Tools) like XtremeRAT and PoisonIvy.

Scam: President Mahmoud Abbas cursing Majed Faraj.exe
Scam: President Mahmoud Abbas cursing Majed Faraj.exe

Photo Gallery (2 Images)

Arabic APT targets local Arabic governments
Scam: President Mahmoud Abbas cursing Majed Faraj.exe
Open gallery