A group of pro-Hamas attackers known as the Gaza Cybergang is using a new variation of the Pierogi++ backdoor malware to launch attacks on Palestinian and Israeli targets.
According to research from Sentinel Labs, the backdoor is based on the C++ programming language and has been used in campaigns between 2022 and 2023.
The attackers have also been using the Micropsia malware in recent hacking campaigns across the Middle East.
Distributing the Malware The hackers distributed the Pierogi++ malware using archive files and malicious Office documents that discussed Palestinian topics in both English and Arabic.
These contained Windows artifacts such as scheduled tasks and utility applications, which included malware-ridden macros designed to spread the Pierogi++ backdoor.
Milenkoski tells Dark Reading that the Gaza Cybergang used phishing attacks and social media-based engagements to circulate the malicious files.
The Original Pierogi This new malware strain is an updated version of the Pierogi backdoor, which researchers at Cybereason identified nearly five years ago.
The main difference between the original Pierogi backdoor and the newer variant is that the former uses the Delphi and Pascal programming languages, while the latter uses C++. Older variations of this backdoor also used Ukrainian backdoor commands 'vydalyty', 'Zavantazhyty', and 'Ekspertyza'.
Pierogi++ uses the English strings 'download' and 'screen'.
The use of Ukrainian in the previous versions of Pierogi may have suggested external involvement in the creation and distribution of the backdoor, but Sentinel Labs doesn't believe this is the case for Pierogi++.
Sentinel Labs observed that both variants have coding and functionality similarities despite some differences.
These include identical spoofed documents, reconnaissance tactics, and malware strings.
Hackers can use both backdoors for screenshotting, downloading files, and executing commands.
Although Gaza Cybergang has been active in the Middle East for more than a decade, the exact physical location of its hackers is still unknown.
Based on previous intelligence, Milenkoski believes they are likely dispersed throughout the Arabic-speaking world in places like Egypt, Palestine, and Morocco.
This Cyber News was published on www.darkreading.com. Publication date: Fri, 15 Dec 2023 18:55:17 +0000