Pro-Palestine APT Group Uses Novel Downloader in New Campaign

A Middle Eastern advanced persistent threat (APT) group launched a new series of targeted cyber-espionage attacks from July to October 2023, using a new initial access downloader dubbed IronWind, according to Proofpoint.

The security vendor identified the actor as TA402 (aka Molerats, Gaza Cybergang, Frankenstein, WIRTE), which it said supports Palestinian intelligence gathering objectives.

Although active since 2020, the group’s latest campaign showed signs of new tactics – notably the use of IronWind as part of a “labyrinthine” infection chain.

“TA402 utilized three variations of this infection chain—Dropbox links, XLL file attachments, and RAR file attachments—with each variant consistently leading to the download of a DLL containing the multifunctional malware,” Proofpoint explained.

“In these campaigns, TA402 also pivoted away from its use of cloud services like Dropbox API, which Proofpoint researchers observed in activity from 2021 and 2022, to using actor-controlled infrastructure for C2 [command-and-control] communication.”

Read more on Middle Eastern threats: Growing Concern Over Role of Hacktivism in Israel-Hamas Conflict

The phishing emails themselves were sent from a compromised Ministry of Foreign Affairs account to target various Middle Eastern government entities using a spoofed Gulf Cooperation Council lure.

In July, the group used a Dropbox link in the phishing email to download a malicious Microsoft PowerPoint Add-in (PPAM) file. This file in turn contained a macro that dropped three files – one of which sideloaded IronWind.

In August, TA402 switched to sending an attached XLL file to load IronWind. Then, in October, it changed tack again, sending a RAR file attachment that contained a renamed version of tabcal.exe to sideload IronWind instead of using a malicious PPAM file delivered via Dropbox or an attached XLL file.

That last phishing campaign used the war in Gaza as a lure for the first time.

“Currently, TA402 only appears to be using the conflict for lure purposes,” Proofpoint said. “Additionally, TA402 continues to phish, indicating the conflict has not significantly disrupted the group’s operations.”