ATK66

Presumed Origin: Middle East < Back

Alias: APT-C-23, Arid Viper, AridViper, Desert Falcon, Gaza cybergang Group2

ATK66 (aka: APT-C-23) is commonly considered an APT group linked to the Hamas organization ruling the Gaza Strip.

 

Reportedly, the group was established in 2011, but became active starting from 2014, when the first attacks were detected in the wild. By examining the group’s victims and its TTPs, it is apparent the group mainly attacks targets related to the Palestinian Authority. APT-C-23 members are native Arabic speakers from the Middle East. According to Kaspersky, at its origins, APT-C-23 consisted of 30 members working in three teams and operating mainly out of Palestinian Territories, Egypt and Turkey.

 

REFERENCES

Target sector

  • Government and administration agencies
  • Political Organizations
  • Population

Target countries

  • Egypt
  • Iraq
  • Israel
  • Jordan
  • Kuwait
  • Lebanon
  • Libya
  • Palestine
  • Qatar
  • Syrian Arab Republic
  • Turkey
  • United States Of America

Attack pattern

  • T1001 - Data Obfuscation
  • T1002 - Data Compressed
  • T1005 - Data from Local System
  • T1025 - Data from Removable Media
  • T1041 - Exfiltration Over Command and Control Channel
  • T1056 - Input Capture
  • T1060 - Registry Run Keys / Startup Folder
  • T1071 - Standard Application Layer Protocol
  • T1078 - Valid Accounts
  • T1105 - Remote File Copy
  • T1113 - Screen Capture
  • T1119 - Automated Collection
  • T1123 - Audio Capture
  • T1189 - Drive-by Compromise
  • T1192 - Spearphishing Link
  • T1193 - Spearphishing Attachment
  • T1194 - Spearphishing via Service
  • T1204 - User Execution

Motivation

Malwares

  • Micropsia
  • SpyC23

Vulnerabilities