As early as 2019, a covert malware campaign used malicious Microsoft Excel and Word documents to target government, diplomatic agencies, military groups, law firms, and financial institutions predominantly based in the Middle East.
The intrusions involved “MS Excel droppers that use hidden spreadsheets and VBA macros to drop their first stage implant,” which is a Visual Basic Script (VBS) with functionality to collect system information and execute arbitrary code sent by the attackers on the infected machine, according to Russian cybersecurity company Kaspersky.
The researchers concluded with low confidence that the WIRTE group has ties to another politically motivated collective known as the Gaza Cyber gang after studying the campaign as well as the adversary’s toolset and methodology. Armenia, Cyprus, Egypt, Jordan, Lebanon, Palestine, Syria, and Turkey are among the countries affected.
“WIRTE operators deploy simple and rather common TTP that has allowed them to go undetected for a long time,” said Maher Yamout, a Kaspersky researcher. “This suspected Gaza Cyber gang subgroup used simple yet successful tactics to compromise its victims with stronger OpSec than its suspected rivals,” says the report.
According to Kaspersky, the infection process incorporates decoy Microsoft Office documents that deploy Visual Basic Script (VBS), which could be transmitted via spear-phishing emails ostensibly relating to Palestinian issues or other popular themes that are tailored to the targeted victims.
The Excel droppers, on the other hand, utilize malicious macros to download and install a next-stage implant known as Ferocious on recipients’ devices, and the Word document droppers use VBA macros to do the same. The Ferocious dropper, which is made up of VBS and PowerShell scripts, uses a living-off-the-land (LotL) technique known as COM hijacking to establish persistence and initiates the execution of a PowerShell script known as LitePower.
This LitePower, a PowerShell script, acts as a downloader and secondary stager, connecting to remote command-and-control servers in Ukraine and Estonia, some of which date back to December 2019, and waiting for further commands that could lead to the deployment of additional malware on compromised systems.
“To be inconspicuous for a longer amount of time, WIRTE changed their toolkit and how they operate. Techniques for living off the land (LotL) are an exciting new addition to their TTP “Yamout expressed his opinion. “Unlike the other Gaza Cyber gang subgroups, using interpreted language malware like as VBS and PowerShell scripts allows them to update their toolset and circumvent static detection controls.”