Government entities in the Middle East are the target of new phishing campaigns that are designed to deliver a new initial access downloader dubbed IronWind.
The activity, detected between July and October 2023, has been attributed by Proofpoint to a threat actor it tracks under the name TA402, which is also known as Molerats, Gaza Cyber Gang, and shares tactical overlaps with a pro-Hamas hacking crew known as APT-C-23 (aka Arid Viper).
“When it comes to state-aligned threat actors, North Korea, Russia, China, and Iran generally reap the lion’s share of attention,” Joshua Miller, senior threat researcher at Proofpoint, said in a statement shared with The Hacker News.
“But TA402, a Middle Eastern advanced persistent threat (APT) group that historically has operated in the interests of the Palestinian Territories, has consistently proven to be an intriguing threat actor capable of highly sophisticated cyber espionage with a focus on intelligence collection.”
Coinciding with the use of IronWind are consistent updates to its malware delivery mechanisms, using Dropbox links, XLL file attachments, and RAR archives to distribute IronWind.
The use of IronWind is a shift from prior attack chains, which were linked to the propagation of a backdoor codenamed NimbleMamba in intrusions targeting Middle Eastern governments and foreign policy think tanks.
TA402’s latest campaigns are characterized by the use of a compromised email account belonging to the Ministry of Foreign Affairs to send phishing lures pointing to Dropbox links that facilitate the deployment of IronWind.
The downloader is engineered to contact an attacker-controlled server to fetch additional payloads, including a post-exploitation toolkit called SharpSploit, following a multi-stage sequence.
Subsequent social engineering campaigns in August and October 2023 have been found to leverage XLL file and RAR archive attachments embedded in email messages to trigger the deployment of IronWind. Another notable tactic employed by the group is the reliance on geofencing techniques to complicate detection efforts.
“The ongoing conflict in the Middle East does not appear to have hindered their ongoing operations, as they continue to iterate and use new and clever delivery methods to bypass detection efforts,” Miller said.
“Using complex infection chains and drumming up new malware to attack their targets, TA402 continues to engage in extremely targeted activity with a strong focus on government entities based in the Middle East and North Africa.”
The development comes as Cisco Talos revealed that cybercriminals have been observed exploiting the “Release scores” feature of Google Forms quizzes to deliver email and orchestrate elaborate cryptocurrency scams, highlighting the creative ways threat actors resort to in order to meet their objectives.
“The emails originate from Google’s own servers and consequently may have an easier time bypassing anti-spam protections and finding the victim’s inbox,” security researcher Jaeson Schultz said last week.