A threat player tracked as WIRTE has been attacking Middle East govts. since at least 2019 using “living-off-the-land” techniques & malicious Excel 4.0 macros.
Kaspersky researchers think that the cyber-attackers may be a sub-group of the politically motivated, ‘Gaza Cybergang.’
On Mon, Kaspersky reported that it observed the group in Feb. using Microsoft Excel droppers, which placed hidden spreadsheets & VBA macros to launch intrusions, fingerprint systems & execute code on infected machines.
Static Kitten
Researchers stated that the 1st-stage ‘implants’ look similar to the 1st-stage VBS implant used by the Muddy Water advanced persistent threat (APT) player for reconnaissance & profiling (aka Mercury, Static Kitten or Seedworm). Whatever it is called, Muddy Water has historically targeted govt. victims in the ME to obtain data.
In April 2019, Kaspersky Lab reported that it had observed Muddy Water exfiltrating data such as credentials from governmental & telco targets in the ME, using a relatively simple, expendable set of tools that revealed a moderately sophisticated threat player at work – with the potential to get even more dangerous over time.
Different TTPs Than Muddy Water’s
Although the most recent intrusion sets look similar to a new Muddy Water 1st-stage VBS implant used for reconnaissance & profiling, they use slightly different tactics, techniques & procedures (TTPs), Kaspersky stated.
Specifically, the threat player has expanded Muddy Water’s targeting: Most victims are still ME govt. & diplomatic bodies, but the attacks are now also being launched against what researchers called the “unusual” victims of law firms & financial institutions.
Known Victims
“To date, most of the known victims are located in the ME, but there are also targets in other regions,” according to the report.
“Various industries are affected by this campaign. The main focus is on govt. & diplomatic entities, though we also noticed an unusual targeting of law firms & financial institutions.”
The targeted bodies are located in Armenia, Cyprus, Egypt, Jordan, Lebanon, the Palestinian Authority, Syria & Turkey.
WIRTE Possibly Tied to Gaza Cybergang
The APT is, in fact, a lesser-known actor named WIRTE, 1st publicly referenced by Lab52 in 2019, Kaspersky said: a group that it suspects, with low confidence, might be related to the Gaza Cybergang threat player.
Gaza Cybergang is an Arabic-speaking, politically motivated ‘collective’ of related threat groups that was actively targeting the ME & N. Africa from a year ago. According to Kaspersky’s previous research, Gaza Cybergang had a particular focus on Palestinian Territories.
.EXE Disguised as ‘Kaspersky Update Agent’
The infection chains started with spear-phishing emails carrying a malicious Microsoft Excel/Word document as the initial attack vector. The documents carry embedded VBA macros designed to deliver a malicious payload.
To encourage targets to trigger the Excel dropper, WIRTE dressed-up its phishing emails with logos & branding of the targeted body, or topics that were trending in their region. In 1 case, the gang imitated the Palestinian Authority, Kaspersky observed.
Actually an Executable
The group also stole Kaspersky’s name, putting a fake “Kaspersky Update Agent” label onto what is actually an executable that drops the VBS implant.
Researchers could not confirm whether the executable was also distributed through email or whether the threat player downloaded it further along in the infection chain after initial penetration, but it has the same execution flow as the Excel 4.0 macros, they explained.
After a target opens the Excel dropper & disables the protected mode, it executes a series of formulas placed in a hidden column. The main spreadsheet, which requested the target to “enable editing,” is hidden. Then, the dropper unhides a secondary spreadsheet with a decoy.
3 Anti-Sandbox Checks
Then the dropper runs formulas from a 3rd spreadsheet with hidden columns, which runs these 3 anti-sandbox checks:
- Get the name of the environment in which Excel is running, along with version number.
- Check if a mouse is present.
- Check if the host computer can play sounds.
The process will halt if any of those checks fail. Otherwise, the macro opens a temporary %ProgramData%\winrm.txt file, saves a VBS stager to %ProgramData%\winrm.vbs & adds a pair of registry keys, for persistence via Component Object Model (COM) hijacking.
PowerShell
Afterwards, the macro writes a snippet of PowerShell wrapped in VB code into %ProgramData%. Kaspersky is calling this snippet the “LitePower” stager: A stager that downloads payloads & receives marching orders from the command-&-control (C2) servers.
These are the commands Kaspersky noted during the intrusions:
- List local disk drives
- Get list of antivirus software installed
- Check if current user has admin privileges
- Get OS architecture
- Check for backdoor services
- Check for the registry keys added for COM hijacking
- List all hotfixes installed
- Take screenshots & save to %AppData% before sending them to the C2 via a POST request
C2 Servers
Researchers identified C2 domains dating to at least Dec. 2019, some of which were tucked behind CloudFlare to obscure their real C2 IP addresses.
With help from partners, Kaspersky managed to check some original C2 IP addresses, which showed that the servers are hosted in Ukraine & Estonia.
Communication Methods
Newly observed attacks performed by the threat player show the use of different communication methods compared with older attacks, but the same ports & similar PowerShell IEX command execution & sleep functions were employed in all attacks, Kaspersky explains.
WIRTE’s newly observed intrusions use different communication methods than older attacks, but the same ports, as well as similar PowerShell IEX command execution & sleep functions were employed in all attacks, Kaspersky commented.
In past attacks, the attacker has used regsvr32.exe as a living-off-the-land (LotL) technique. In recent incidents, however, the player switched to another LotL technique, including COM hijacking.
Recent Intrusions
Either way, the working directory is %ProgramData%, researchers noted – just another similarity that suggests that WIRTE is behind recent intrusions. “All in all, we believe that all these similarities are a strong indication that the attacks described in this report were conducted by the WIRTE threat actor,” Kaspersky outlined.
“We assess with low confidence that WIRTE is a subgroup under the Gaza Cybergang umbrella,” states the report.
“Although the 3 sub-groups we are tracking use entirely different TTPs, they all occasionally use decoys associated with Palestinian issues, which haven’t been seen commonly used by other threat players, particularly those operating in the ME region such as Muddy Water & Oilrig.”
Modified Toolset
A modified toolset allowed WIRTE to hide for years, researchers added.
The LotL techniques are “an interesting new addition to their TTPs, while the use of interpreted language malware such as VBS & PowerShell scripts distinguishes this suspected Gaza Cybergang from other subgroups, given that it gives them flexibility to “update their toolset & avoid static detection controls,” Kaspersky suggested.
“Whether WIRTE is a new subgroup or an evolution of existing Gaza Cybergang sub-groups, we see them expanding their presence further in cyberspace by using updated & stealthier TTPs,” the firm concluded.
https://www.cybernewsgroup.co.uk/virtual-conference-december-2021/
