WIRTE, a stealthy hacker gang, has been tied to a government-targeting operation exploiting malicious Excel 4.0 macros since 2019. High-profile governmental and private enterprises in the Middle East are the principal targets, although experts have discovered targets in other locations.
Kaspersky examined the campaign, toolset, and methodology and determined that WIRTE has pro-Palestinian motivations and is suspected of being a member of the ‘Gaza Cybergang.’ WIRTE, on the other hand, has superior OpSec and covert procedures than other associated hacking organizations, and they can evade discovery for longer periods.
WIRTE’s phishing emails include Excel spreadsheets that run dangerous macros on recipients’ computers, downloading and installing malware payloads. While WIRTE’s primary targets are governments and diplomatic institutions, Kaspersky has seen assaults on many companies across the Middle East and other locations.
According to Kaspersky’s report, the threat actor has targeted a wide range of verticals, including diplomatic and financial institutions, government, legal firms, military groups, and technological corporations. The countries impacted include Armenia, Cyprus, Egypt, Jordan, Lebanon, Palestine, Syria, and Turkey.
The infected docs are designed to stimulate the victim’s attention, and they include logos and themes that resemble businesses, authorities, or the targeted organization. The Excel dropper initially executes a sequence of calculations in a hidden column, which masks the “allow editing” request from the original file while revealing a secondary spreadsheet with the decoy.
The dropper then does the following anti-sandbox tests using formulae from a third spreadsheet with concealed columns:
- Check for the presence of a mouse
- Find out what the environment’s name is
- Check to see if the host computer is capable of playing sounds
The macro creates a VBS script with an integrated PowerShell snippet and two registry entries for persistence if all the checks pass. After that, the macro writes a PowerShell script with VB code to percent ProgramData percent. This snippet is the ‘LitePower’ stager, which will accept commands from the C2 and download payloads.
The perpetrators have hidden the real IP addresses of their C2 domains behind Cloudflare. Still, Kaspersky was able to identify some of them and discovered that they are based in Ukraine and Estonia. Many of these domains date back to at least December 2019, demonstrating WIRTE’s propensity to go undetected, unanalyzed, and unreported for long periods.
According to a Lab52 analysis from 2019, the most recent intrusions employ TCP/443 via HTTPS for C2 communication, although they also use TCP ports 2096 and 2087. Another resemblance to the last campaign is the script’s sleep function, which lasts between 60 and 100 seconds.
WIRTE has been seen hesitantly increasing its target scope to include financial institutions and major private companies, which might result from trial and error or a gradual shift in focus. Even though these actors’ TTPs are mundane and straightforward, Kaspersky warns that they are nevertheless quite successful against the group’s objectives.