A stealthy malware campaign has recently been identified by security analysts wherein government, military organisations, financial institutions, diplomatic entities, and law firms situated in the Middle East are targeted. The campaign, which began around 2019, leverages malware-infected Microsoft Word and Excel files.
Security experts attributed the attacks against the mentioned sectors to a threat group called WIRTE because of their intrusion tactics observed by the researchers. The first stage of their attack involves launching MS Excel dropper files with hidden spreadsheets and Visual Basic Application (VBA) macros. It can collect massive system data and execute arbitrary code sent by the threat actors on the targeted device.
The analysis of the malware campaign’s toolset and tactics concluded that the WIRTE group could also be linked and is a subgroup to another politically motivated threat group dubbed the Gaza Cyber gang.
The entities within the Middle East that are affected by the malware campaign are located all over Turkey, Syria, Palestine, Lebanon, Jordan, Egypt, Cyprus, and Armenia.
According to the analysts, common TTPs are used by the WIRTE operators that enable them to be undetected for a long time. Threat actors initially deploy infected MS Office documents with Visual Basic Script (VBS), spread via spear-phishing emails allegedly discussing Palestine’s situation and other related topics that the victims could bite.
The MS Excel droppers can execute malicious macros to be downloaded and installed to the next attack stage, called Ferocious, on the victims’ devices. Meanwhile, the MS Word droppers utilize the VBA macros to download the same malware.
The Ferocious dropper exploits the living-off-the-land (LotL) technique, also known as COM hijacking, to attain persistence and launch the PowerShell script called the LitePower. The LitePower PowerShell script is the downloader and secondary stager that links to remote C2 servers from Estonia and Ukraine. As it awaits further commands, it could launch more malware against the compromised systems.
Finally, the analysts stated that the WIRTE threat group had modified their toolset and operation style to remain stealthy for as long as needed. Adding the Living-off-the-Land (LotL) techniques is an interesting move for the group, especially utilising VBS and PowerShell scripts to further their flexibility in enhancing their toolset and evade detection.
