Generated with sparks and insights from 10 sources

img10

img11

img12

img13

img14

img15

Introduction

  • Gaza Cybergang is a politically motivated Arabic-language cyberthreat actor, primarily targeting the Middle East North Africa (MENA) region, especially Palestinian entities.

  • The group has been active since at least 2012 and is suspected to be aligned with Hamas.

  • Gaza Cybergang is composed of several sub-groups, including Molerats (Group 1), Arid Viper (Group 2), and the group behind Operation Parliament (Group 3).

  • The group has been involved in various cyber espionage campaigns, using malware such as Micropsia and Pierogi++.

  • Recent activities from 2022 to 2023 show a sustained focus on targeting Palestinian entities, with no significant changes in dynamics since the start of the Israel-Hamas war.

  • Gaza Cybergang has upgraded its malware arsenal with a backdoor called Pierogi++, first used in 2022.

  • The group uses a variety of techniques, including phishing, social engineering, and the deployment of remote access Trojans (RATs).

  • The group's activities are likely aligned with the tensions between the Hamas and Fatah factions.

Sub-Groups [1]

  • Gaza Cybergang Group 1: Also known as Molerats, this group is considered the least sophisticated and relies heavily on paste sites for malware distribution.

  • Gaza Cybergang Group 2: Known as Arid Viper or Desert Falcons, this group has medium-level sophistication and has been involved in various targeted attacks.

  • Gaza Cybergang Group 3: The most sophisticated group, previously known for Operation Parliament, which targets high-profile entities.

  • The groups share victims, tools, and techniques, indicating a high level of coordination.

  • Group 1 often deploys scripts to infect victims with malware belonging to Group 2 or Group 3.

img10

Recent Activities [2]

  • From late 2022 to late 2023, Gaza Cybergang introduced a new backdoor called Pierogi++.

  • The group has consistently targeted Palestinian entities, using malware such as Micropsia and Pierogi++.

  • The group's activities have not significantly changed in intensity or characteristics since the onset of the Israel-Hamas war.

  • Recent campaigns have involved the use of politically-themed decoy documents to deliver malware.

  • The group continues to evolve its malware arsenal, indicating a sustained investment in cyber espionage capabilities.

img10

img11

img12

Malware Arsenal [2]

  • Pierogi++: An upgraded backdoor first used in 2022, based on the older Pierogi malware.

  • Micropsia: A family of malware used by Gaza Cybergang, with variants implemented in Delphi and Python.

  • BarbWire: A backdoor used in Operation Bearded Barbie, targeting Israeli officials.

  • SharpStage and DropBook: Malware used in conjunction with Pierogi in Arid Viper operations.

  • LastConn: An updated version of SharpStage, used in TA402 activities.

img10

img11

img12

img13

img14

img15

Techniques and Tactics [1]

  • Phishing: The group uses politically-themed phishing emails to lure victims.

  • Social Engineering: Techniques to trick victims into executing malware.

  • Remote Access Trojans (RATs): Used to gain persistent access to victim systems.

  • Chained Attack Stages: Multiple stages of infection to evade detection.

  • Use of Paste Sites: For distributing malware and maintaining command and control.

img10

img11

img12

Victimology [1]

  • Primary Targets: Palestinian entities, including government, education, media, and political personnel.

  • Geographical Spread: Victims are spread across 39 countries, with the majority in the Palestinian Territories, Jordan, Israel, and Lebanon.

  • Targeted Sectors: Embassies, government entities, education, media outlets, journalists, activists, political parties, healthcare, and banking.

  • Phishing Themes: Political themes are commonly used to lure victims.

  • Victim Data: Collected data includes sensitive documents such as PDFs, DOCs, and XLS files.

img10

img11

img12

img13

img14

Historical Campaigns [2]

  • Operation Bearded Barbie: A campaign targeting Israeli officials, attributed to Arid Viper.

  • Big Bang Campaign: An operation from 2018 targeting Palestinian entities, loosely associated with Gaza Cybergang.

  • Operation Parliament: A high-sophistication campaign targeting high-profile entities, attributed to Group 3.

  • SneakyPastes: A campaign by Group 1 using paste sites to distribute malware.

  • Desert Falcons: Targeted attacks by Group 2, focusing on Middle Eastern entities.

img10

Related Videos

<br><br>

<div class="-md-ext-youtube-widget"> { "title": "Israel-Hamas War: 'Indian Cyber Force' Claims It Hacked ...", "link": "https://www.youtube.com/watch?v=5RLS7C6vNJs", "channel": { "name": ""}, "published_date": "Oct 10, 2023", "length": "" }</div>