Experts say group may have ties to Hamas

Oct 26, 2016 14:00 GMT  ·  By

An APT group operating out of the Middle East, and most likely out of Palestine, has been engaged in a cyber-espionage campaign that has taken aim at various Middle Eastern and African countries in the Mediterranean Basin.

Several cyber-security firms have tracked the group over the years. Vectra Networks calls it Moonlight, but other names include Gaza Hacker Team, Gaza Cybergang, DownExecute, XtremeRAT, Molerats, and DustSky.

Security firm ClearSky, which tracked several of the group's campaigns, said in June 2016 that the group might have ties to Hamas, a Palestinian organization founded in 1987 that has blurred the lines between a resistance movement and a terrorist group.

Moonlight mainly deploys the H-Worm (Houdini) backdoor

For this particular campaign, identified by Vectra Networks, the group has used spear-phishing emails and social media lures to trick targets into installing the H-Worm malware, a backdoor trojan, which in some cases they used to further compromise targets with a Remote Access Trojan called njRat.

Besides Vectra researchers, the team at Palo Alto Networks also detected a spike in infections with the H-Worm malware, which it broke down on its blog, but has not attributed these incidents to a cyber-espionage group, as of yet.

The group's main weapon is social engineering

Researchers say the group's campaign lacks any technical skills observed in other cyber-espionage groups. The group does not deploy zero-days, nor does it exploit vulnerabilities on their targets' systems.

They rely on good ol' classic social engineering and on designing clever lures that are then used in spear-phishing and social media spam campaigns.

In most instances, the group spreads documents or links with a local socio-political lure, related to the always-complicated Middle Eastern political scene.

Victims are often provided with a malicious executable that uses a double file extension such as filename.pdf.exe or filename.avi.exe, which installs the H-Worm backdoor (also known as Hworm and Houdini) and opens a decoy document on top, to keep the victim from suspecting anything.

Most victims are located in Palestine

By tracking the shortened URLs used in the social media spam and spear-phishing emails, Vectra says all these are targeted attacks, directed at one victim at a time.

The bulk of the targets are located in countries such as Palestine, Egypt, the US, Jordan, Libya, Iran, Israel, and China.

"Most of these victims are connecting from home networks, and are therefore unidentifiable, though one notable victim is a Palestinian news organization," Vectra's Chris Doman writes.

"Vectra believe the victims from the United States and China are outliers. These infected machines were primarily from university networks and were likely either security researchers sandboxing malware or overseas students targeted for links to their homeland," Doman adds.

Breakdown of Moonlight APT victims
Breakdown of Moonlight APT victims

Photo Gallery (2 Images)

Moonlight APT active with new campaigns in the Middle East region
Breakdown of Moonlight APT victims
Open gallery