Stealth Malware Campaign Targets Middle Eastern Entities
A sophisticated malware campaign has been uncovered, targeting government bodies, military organizations, law firms, and financial institutions predominantly in the Middle East. Initiated as early as 2019, the campaign leverages malicious Microsoft Excel and Word documents to infiltrate victim networks.
Kaspersky, a Russian cybersecurity firm, has reliably attributed these attacks to a threat actor known as WIRTE. According to their analysis, the initial phases of the intrusions are executed through “MS Excel droppers,” which utilize hidden spreadsheets and Visual Basic for Applications (VBA) macros. This initial implant, a Visual Basic Script (VBS), is engineered to gather system information and execute arbitrary code provided by the attackers.
Through their investigation, researchers have posited, albeit with low confidence, a potential link between WIRTE and the politically motivated group known as the Gaza Cybergang. The attack vectors have been recorded across several countries in the region, including Armenia, Cyprus, Egypt, Jordan, Lebanon, Palestine, Syria, and Turkey.
Kaspersky’s researcher Maher Yamout noted that WIRTE operatives employ relatively basic tactics, techniques, and procedures (TTPs) that have allowed them to operate under the radar for an extended duration. Their methods, while simplistic, exhibit a level of operational security that surpasses that of other related groups. The campaign’s infection process typically involves the delivery of decoy Microsoft Office documents through spear-phishing campaigns that capitalize on themes pertinent to Palestinian affairs and other trending topics.
The Excel droppers are specifically programmed to execute harmful macros aimed at downloading and installing a secondary implant identified as “Ferocious.” Similarly, the Word document versions employ VBA macros for the same purpose, utilizing a combination of VBS and PowerShell scripts. The Ferocious dropper exploits a living-off-the-land (LotL) technique known as COM hijacking to achieve persistence within the target systems. This method facilitates the execution of a PowerShell script referred to as LitePower.
LitePower functions as a downloader and secondary staging mechanism, establishing a connection to remote command-and-control servers situated in Ukraine and Estonia, some of which have been operational since December 2019. This enables the attackers to await and receive further commands, potentially facilitating the deployment of additional malware.
Yamout concluded that WIRTE has fine-tuned its toolset and operational methods to maintain a low profile over time. The incorporation of LotL techniques represents a significant evolution in their strategic approach. By leveraging interpreted language malware such as VBS and PowerShell scripts, WIRTE enhances its flexibility and adaptability, making it challenging for static detection systems to identify their activities.
In summary, the WIRTE malware campaign underscores the shifting landscape of cyber threats, particularly those aimed at geopolitical entities in the Middle East. As businesses and organizations grapple with these evolving risks, understanding the tactics used by such entities—rooted in frameworks like the MITRE ATT&CK Matrix—becomes crucial for effective cybersecurity posture and response planning.
