A politically motivated cybercrime group from the Middle East has recently begun turning its attention to IT and incident response (IR) staff in a bid to gain privileged access to target networks.
The ‘Gaza cybergang’ was first discovered back in 2012, but activity has increased in the second quarter of this year, according to Kaspersky Lab.
The group normally operates in the Middle East and North Africa (MENA) – particularly Egypt, the United Arab Emirates and Yemen.
The Russian security vendor claimed in a blog post that the group is now sending malicious files to IT and IR staff, with file names “which reflect the IT functions or IR tools used in cyber-attack investigations.”
“IT people are known for having more access and permissions inside their organizations than other employees, mainly because they need to manage and operate the infrastructure. This is why getting access to their devices could be worth a lot more than for a normal user,” the vendor revealed.
“IR people are also known for having access to sensitive data related to ongoing cyber investigations in their organizations, in addition to special access and permissions enabling them to hunt for malicious or suspicious activities on the network.”
The group favors using remote access Trojans (RATs) such as XtremeRAT and PoisonIvy, and use special file names, content and domains designed to trick users into clicking through from spear-phishing emails to begin a covert malware download.
It’s particularly interested in targeting government bodies, especially embassies, where security is not always as tight as it should be, Kaspersky Lab claimed.
The group, also known as Molerats, was reported by FireEye to have expanded its horizons significantly last year, launching attacks on government targets in the UK and Europe and even the BBC.
In one particular campaign they tried to evade detection by signing malware with a forged Kaspersky Lab certificate.