A threat entity linked to Hamas has expanded its malicious cyber operations beyond espionage to launch subversive attacks exclusively targeting Israeli organizations.
The activity associated with the group named THE MASTERSalso targeting the Palestinian Authority, Jordan, Iraq, Saudi Arabia and Egypt, according to the Check Point analysis.
“The (Israel-Hamas) conflict has not disrupted WIRTE’s operations, and they continue to use recent developments in the region in their espionage operations,” the company said in a statement. said. “In addition to espionage, the threat actor has recently engaged in at least two waves of sabotage attacks against Israel.”
THE MASTERS is the alias assigned to the Middle East Advanced Persistent Threat (APT), which has been active since at least August 2018 and targets a wide range of actors across the region. It was first documented by the Spanish cyber security company S2 Grupo.
The hacking team is believed to be part of a politically motivated group called the Gaza Cyber Gang (aka Molerats and TA402), the latter of which is known using tools like BarbWire, IronWind and Pierogi in their attack campaigns.
“The activity of this cluster continued throughout the war in Gaza,” the Israeli company said. “On the one hand, the group’s ongoing activities reinforce its affiliation with Hamas; on the other hand, it complicates the geographical attribution of this activity specifically to Gaza.”
It is established that the activities of WIRTE in 2024 allows profiting from geopolitical tensions in the Middle East and war to create deceptive RAR archives that lead to the deployment of Chaos post-operational framework. Alternative chains observed until September 2024 used similar RAR archives to provide IronWind loader.
Both of these infection sequences use a legitimate executable file to download a malicious DLL and present the victim with a spoofed PDF document.
Check Point said it also observed a phishing campaign in October 2024 against several Israeli organizations, such as hospitals and municipalities, where emails were sent from a legitimate address belonging to ESET’s cybersecurity partner in Israel.
“The email contained a newly created version SameCoin Wiper, which was deployed during the attacks on Israel earlier this year,” it said. “Apart from minor changes to the malware, the new version introduces a unique encryption feature that was (…) found only in the latest version of the IronWind bootloader .”
In addition to overwriting files with random bytes, the latest version of the SameCoin cleaner changes the background of the victim’s system to display an image with the name of the Al-Qassam Brigades, the military wing of Hamas.
SameCoin is a custom-made cleaner that was discovered in February 2024 to be used by a Hamas-linked threat actor to sabotage Windows and Android devices. The malware was distributed under the guise of a security update.
Windows Loader Samples (“INCD-SecurityUpdate-FEB24.exe”), according to HarfangLabtheir timestamps were changed to match October 7, 2023, the day Hamas began its surprise attack on Israel. An email purporting to be the Israel National Cyber Directorate (INCD) is believed to be the initial access vector.
“Despite the ongoing conflict in the Middle East, the group continued to conduct multiple campaigns, demonstrating a versatile toolset that includes wipers, backdoors and phishing pages used for both espionage and sabotage,” Check Point concluded. .
