Security News > 2020 > March > Hamas-Linked Hackers Add Insurance and Retail to Target List
MoleRATs, a politically-motivated threat actor apparently linked to the Palestinian terrorist organization Hamas, has expanded its target list to include insurance and retail industries, Palo Alto Networks' security researchers report.
Spear-phishing emails were leveraged to deliver malicious documents - mostly Word documents, but also one PDF - which in turn attempted to trick the intended victim into enabling content to run a macro, or force them into clicking a link to download a malicious payload. The Spark backdoor was used in most of these assaults, allowing the attackers to open applications and run command line commands on the compromised system.
To avoid detection and impede analysis, the hackers password-protected the delivery documents, ensured that the Spark payload would only run on systems with an Arabic keyboard and locale, and also obfuscated the payloads using the commercial packer Enigma.
The PDF document observed in one of the attacks contained a message meant to coerce the recipient into clicking a link that would fetch the malicious payload. A blackmail-like approach is employed: victim is told the attacker has compromising pictures of the recipient and that they intend to release them to the media.
The security researchers were able to identify code connections between the delivery documents, which then led them to the discovery of additional documents and of the domain infrastructure employed by the attackers.