Woburn, MA – October 30, 2017 – Kaspersky Lab experts are registering important changes in the operations of the infamous Gaza Team Cybergang, which is actively targeting multiple commercial and government organizations in the Middle East and Africa (MENA) region. While the group has been active in the threat landscape for several years, it has upgraded its arsenal in 2017 with new malicious tools.
The Gaza Team Cybergang has been attacking government embassies, diplomats and politicians, as well as oil and gas organizations and the media in the MENA region on a continuous basis since at least 2012, with new malware samples detected regularly. In 2015, Kaspersky Lab researchers reported on the gang’s activity after seeing a significant shift in its malicious operations. On this occasion, the attackers were spotted targeting IT and incident response personnel in an attempt to gain access to legitimate security assessment tools and significantly decrease visibility of their activity in the attacked networks. In 2017, Kaspersky Lab researchers have captured another surge of Gaza Team Cybergang activity.
The target profile and geography remain unchanged in these new attacks, but the scale of Gaza Team Cybergang’s operations has expanded. The actor has been spotted seeking out any type of intelligence across the MENA region, which was not previously the case. What is more important: the attack tools have become more sophisticated – with the group developing topical, geopolitical spearphishing documents used to deliver malware to targets, and using exploits to a relatively recent vulnerability, CVE 2017-0199 in Microsoft Access. They are also potentially using Android spyware.
The intruders perform their malicious activities by sending emails containing various RATs (Remote Access Trojans) in fake office documents, or URLs to a malicious page. When these are executed, the victim is infected with malware that subsequently enables the attackers to collect files, keystrokes and screenshots from the victim's devices. If the victim detects the initially downloaded malware, the downloader tries to install other files on the victim’s device in an attempt to bypass detection.
Further Kaspersky Lab investigation suggests the potential use of mobile malware by the hacking group: some of the file names found during the analysis of Gaza Team Cybergang activity look to be Android Trojan-related. These upgrades in attack techniques have allowed Gaza Team Cybergang to bypass security solutions and manipulate the victim’s system for prolonged periods.
“The continuing activity of Gaza Team, which we have observed for several years already, shows that the situation in the MENA region is far from safe when it comes to cyber espionage threats,” said David Emm, security expert at Kaspersky Lab. “Due to significant improvements in the group’s techniques, we expect the quantity and quality of Gaza Cybergang attacks to intensify in the near future. People and organizations that fall into their target scope should be more cautious when online.”
Kaspersky Lab products successfully detect and block attacks conducted using these techniques.
In order to prevent falling victim to such an attack, Kaspersky Lab recommends implementing the following measures:
More details of the Gaza Team Cybergang campaign can be found in the Securelist blog.
About Kaspersky Lab
Kaspersky Lab is a global cybersecurity company celebrating its 20 year anniversary in 2017. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.
For the latest in-depth information on security threat issues and trends, please visit:
Securelist | Information about Viruses, Hackers and Spam
Follow @Securelist on Twitter
Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter