High-profile public and private entities in the Middle East have been targeted as part of a stealthy malware campaign as early as 2019. The threat actor group behind these targeted attacks is known as WIRTE, a group that is suspected to be a part of the Gaza Cybergang group, which is known for their politically motivated attacks against victims in the Middle East, Europe, and the United States.
The main infection vector used by WIRTE is with malicious Office documents delivered via phishing emails. These phishing emails and malicious documents are made specifically to entice the targeted user into executing them, using logos and themes that mimic brands or authorities interesting to the organization. The initial malware dropper uses formulas in a hidden column that performs various anti-sandbox checks, including retrieving the name of the environment, checking if a mouse is present, and checking if the host can play sounds. If these checks all pass, the malware drops a VBS script that utilizes COM hijacking to enable persistence on the machine. Finally, the malware drops a PowerShell payload known as LitePower into the ProgramData folder on the system. This LitePower payload is then used to send and receive commands from the command and control (C2) server.
The C2 domains used in these attacks are hidden behind CloudFlare, making it difficult to determine where they are located. Some of these C2s, however, have been found to be hosted in Ukraine and Estonia. Likewise, some of the domains date as far back as December 2019, indicating that WIRTE has been able to evade detection and analysis for long periods of time.
It is recommended to have appropriate email security controls in place to help prevent phishing emails from reaching users’ inboxes. Likewise, if possible, it is recommended to completely disable Office macros, as this is one of the most common initial access vectors that threat actors use to compromise a system. The common tactics and techniques used by this threat actor are also detectable with a strong logging and detection platform. Binary Defense’s Managed Detection and Response service is a great asset to assist with this detection need.