A new Middle Eastern APT group has resurfaced, after a two-month period of silence, with new attacks on governments and global organizations in the region.
Security firm Proofpoint said that, based on its analysis of previous campaigns and targeting, the campaign was carried out by a politically motivated actor it tracks as TA402. Also known as Molerats and GazaHackerTeam, TA402 is accused of carrying out operations with motives that align with the military or Palestinian state goals.
Besides governments, the threat actor has a decade-long history of striking organizations in various industries, including technology, media, telecommunications, and finance.
It’s not clear why the gang stopped operating for two months, but security researchers theorized that the current military conflict in the region might have affected its decisions.
Proofpoint researchers said the latest wave of spear-phishing attacks began with emails that contain Arabic script and PDF attachments with a malicious geo-fenced URL. These attackers selectively target individuals from Middle Eastern countries. They direct victims to a password-protected archive only if the IP address is from the Middle East region.
Recipients from outside of the target region are redirected to a benign decoy website that is typically an Arabic language news site.
The attackers use two anti-detection mechanisms: password protection and the geo-fence delivery method:
“The password protection of the malicious archive and the geo-fenced delivery method are two easy anti-detection mechanisms threat actors can use to bypass automatic analysis products,” the researchers said.
The infection chain reaches its final step with a custom implant called LastConn which is dropped when the archive is extracted. The LastConn malware is capable of displaying a decoy document when it is run for the first time. It also uses Dropbox API to download files hosted on the cloud service and execute arbitrary commands.
The latest attacks from TA402 highlight the group’s continued efforts to develop and modify customized malware implants.
“TA402 is a highly effective and capable threat actor that remains a serious threat, especially to entities operating in and working with government or other geopolitical entities in the Middle East,” the researchers concluded. “It is likely TA402 continues its targeting largely focused on the Middle East region.”