A recent spate of attempted malware attacks intended to infect government entities in the Middle East with a customized version of the Quasar remote access trojan appears to be linked to the Hamas-linked Gaza Cybergang threat group, according to Palo Alto Networks.
In a Monday blog post, Palo Alto's Unit 42 threat intelligence team reported that the malware was discovered in September 2016, after attacks against two targets were thwarted by an endpoint protection solution that prevented the RAT from executing.
The trojan that Palo Alto researchers uncovered is a forked variant of Quasar, a NET Framework-based open-source RAT that evolved from an earlier malware called xRAT. This version of Quasar can execute at least 16 actions that may be leveraged for malicious purposes. Such actions include acquiring system information; uploading, downloading and executing files; editing a machine's registry; opening a remote desktop connection; spying on the user's actions; issuing remote mouse clicks and keyboard strokes; stealing passwords; and visiting websites.
Researchers have been unable to pinpoint the attack vector, but they do know that the intended victims were initially infected with the downloader malware Downeks, which subsequently infects computers with Quasar. Downeks is known to be exclusive to the Gaza Cybergang, SC Media learned through Palo Alto Networks.
Additional research turned up dozens more Dowenks and Quasar samples related to these attacks. Again, Palo Alto did not name the specific targets, but did note that the malware samples all included decoy documents containing political subject matter related to the Middle East, and written in Arabic or Hebrew.
Researchers found that the recent samples shared similar coding, decoys, targets, metadata details and other identifiable features as samples of DustySky – another malware that's reportedly distributed by the Gaza Cybergang. They also spotted command-and-control infrastructure links between the two malware campaigns.
“We've seen this group use off-the-shelf tools in the past, but this was the first time we'd observed them using a highly-customized version of the commodity Quasar RAT, in combination with their own proprietary Downeks tool,” said Simon Conant, senior threat intelligence analyst at Palo Alto Networks, in an interview with SC Media.
Also known as Molerats, the Gaza Cybergang has been described by Kaspersky Lab as an “Arabic cybercriminal group operating in the MENA (Middle East North Africa) region, targeting mainly Egypt, [the] United Arab Emirates and Yemen.” They reportedly have also attacked entities in Iraq, Israel, Palestine, Saudi Arabia, and even the U.S. and parts of Europe.
Unit 42's report states that the perpetrators “invested significant effort in attempting to hide the tool by changing the source code of the RAT and the RAT server, and by using an obfuscator and packer.”
In the course of their investigation, researchers also found that the RAT command-and-control server contained vulnerabilities that left it susceptible to a remote code execution exploit. “This might allow a second attacker to install code of their choice – for example, their own Quasar RAT – on the original attacker's server,” the blog post stated.
“This shows again how vulnerabilities are an inherent problem in all software development, even malicious software development,” said Conant.