Hamas-Affiliated WIRTE Employs SameCoin Wiper in Disruptive Attacks Against Israel
Summary:
The Hamas-affiliated threat group WIRTE, part of the Gaza Cyber Gang, has escalated its cyber operations, moving from espionage to destructive attacks aimed at Israeli entities. According to Check Point, this shift reflects WIRTE’s use of recent geopolitical events, specifically the Israel-Hamas conflict, to craft targeted cyber campaigns. The group has also targeted the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt, broadening its regional impact. WIRTE, which has been active since at least 2018, utilizes sophisticated techniques, such as distributing malware through RAR archives that lead to the deployment of the Havoc post-exploitation framework. The group also uses alternate infection chains, leveraging RAR archives to deliver IronWind, a downloader linked to its operations. These attacks commonly use legitimate executables to sideload malicious DLLs, ultimately displaying decoy PDF documents to victims.
In October 2024, WIRTE launched a phishing campaign targeting Israeli hospitals and municipalities by sending emails from a legitimate address associated with an ESET partner in Israel. These emails contained an updated version of the SameCoin Wiper, malware initially seen earlier in 2024. This version includes unique encryption functions found in newer IronWind loader variants and overwrites files with random bytes, while also changing victims' desktop backgrounds to display an image with the Al-Qassam Brigades insignia, signaling affiliation with Hamas’s military wing.
Security Officer Comments:
SameCoin, a custom-built wiper developed by Hamas-linked cyber actors, was first discovered in February 2024. It is distributed under the guise of security updates and can target both Windows and Android devices. For instance, a Windows loader sample was timestamped to align with October 7, 2023—the date of Hamas’s surprise attack on Israel. These attacks typically gain initial access through emails impersonating the Israeli National Cyber Directorate. Despite the ongoing conflict, WIRTE has maintained a steady cadence of attacks, deploying a versatile toolkit that includes wipers, backdoors, and phishing pages, used both for espionage and sabotage purposes.
Suggested Corrections:
IOCs:
https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/
https://thehackernews.com/2024/11/hamas-affiliated-wirte-employs-samecoin.html
https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/
The Hamas-affiliated threat group WIRTE, part of the Gaza Cyber Gang, has escalated its cyber operations, moving from espionage to destructive attacks aimed at Israeli entities. According to Check Point, this shift reflects WIRTE’s use of recent geopolitical events, specifically the Israel-Hamas conflict, to craft targeted cyber campaigns. The group has also targeted the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt, broadening its regional impact. WIRTE, which has been active since at least 2018, utilizes sophisticated techniques, such as distributing malware through RAR archives that lead to the deployment of the Havoc post-exploitation framework. The group also uses alternate infection chains, leveraging RAR archives to deliver IronWind, a downloader linked to its operations. These attacks commonly use legitimate executables to sideload malicious DLLs, ultimately displaying decoy PDF documents to victims.
In October 2024, WIRTE launched a phishing campaign targeting Israeli hospitals and municipalities by sending emails from a legitimate address associated with an ESET partner in Israel. These emails contained an updated version of the SameCoin Wiper, malware initially seen earlier in 2024. This version includes unique encryption functions found in newer IronWind loader variants and overwrites files with random bytes, while also changing victims' desktop backgrounds to display an image with the Al-Qassam Brigades insignia, signaling affiliation with Hamas’s military wing.
Security Officer Comments:
SameCoin, a custom-built wiper developed by Hamas-linked cyber actors, was first discovered in February 2024. It is distributed under the guise of security updates and can target both Windows and Android devices. For instance, a Windows loader sample was timestamped to align with October 7, 2023—the date of Hamas’s surprise attack on Israel. These attacks typically gain initial access through emails impersonating the Israeli National Cyber Directorate. Despite the ongoing conflict, WIRTE has maintained a steady cadence of attacks, deploying a versatile toolkit that includes wipers, backdoors, and phishing pages, used both for espionage and sabotage purposes.
Suggested Corrections:
IOCs:
https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
https://thehackernews.com/2024/11/hamas-affiliated-wirte-employs-samecoin.html
https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/