ATK89

Presumed Origin: State of Palestine < Back

Alias: Extreme Jackal, Gaza Hackers Team, Gaza cybergang, Gaza cybergang Group1, Molerats, Moonlight, Operation Molerats, TA402

ATK89 (aka: Molerats, Gaza Cybergang) is an Arabic politically motivated APT group, active all over the world, including in Europe and the US, but they are mainly active in the Middle East and North Africa (MENA) and in Palestine in particular. The group is comprised of three sub-groups:

Gaza Cybergang Group 1: aka MoleRATs: The group’s aim is to the infection of the victim in a RAT and it often makes use of text-sharing platforms, such as: PasteBin, github.com, upload.cat and more.

Gaza Cybergang Group 2: aka Desert Falcons: the group makes use of homemade malware, tools and techniques. Victims are often infected by social engineering methods such as fake websites that promise political information or spear phishing emails and social messaging.

Gaza Cybergang Group 3: aka Operation Parliament: The group is focused on espionage, covering on executive and judicial bodies all over the world, and focusing on MENA, particularly Palestine. the group used malware with CMD/PowerShell commands for its attacks. Each group is different in TTPs, but they make use of the same tools after gaining the initial grip on their victims.

ATK89 is a persistent threat to organizations and governments in the Middle East, routinely updating not only their malware implants, but also their delivery methods.

REFERENCES

- 13/01/2012, Walla, ??????? ?????? ?? ??????, ????? ????? ?? ????????
- 02/07/2013, Threat Post, njRAT Espionage Malware Targets Middle Eastern Governments, Telecoms and Energy
- 23/08/2013, Fire Eye, Operation Molerats: Middle East Cyber Attacks Using Poison Ivy
- 19/02/2014, FireEye, XtremeRAT: Nuisance or Threat?
- 02/06/2014, FireEye, Molerats, Here for Spring!
- 04/06/2014, Dark Reading, Molerats Go After Governments, US Financial Institution
- 02/2015, Kaspersky, The Desert Falcons Targeted attacks
- 27/04/2015, pwc, Attacks against Israeli & Palestinian interests
- 28/09/2015, Kaspersky, Gaza cybergang, where’s your IR team?
- 01/2016, ClearSky, Operation DustySky
- 06/2016, ClearSky, Operation DustySky Part 2
- 31/01/2017, Security Week,Gaza Cybergang Uses QuasarRAT to Target Governments
- 11/04/2017, FireEye, CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler
- 30/10/2017, Security Week, Hamas-Linked ‘Gaza Cybergang’ Has New Tools, Targets
- 30/10/2017, Kaspersky, Gaza Cybergang – updated activity in 2017
- 30/01/2018, International Business TImes, TopHat campaign: Hackers target Middle East using malware-laced Arabic files about political events
- 12/04/2018, Kaspersky, Operation Parliament, who is doing what?
- 09/07/2018, Security Week, New Attacks on Palestine Linked to ‘Gaza Cybergang’
- 12/09/2018, GitHub, ThreatHunter-Playbook/playbooks/groups/Molerats.md
- 10/04/2019, Kaspersky, The Gaza cybergang and its SneakyPastes campaign
- 14/02/2019, 360 Threat Intelligence, Suspected Molerats’ New Attack in the Middle East
- 23/04/2019, ???? ?????? ??????, ????? ?????? Gaza Cybergang
- 15/01/2020, AT&T Security, Alien Labs 2019 Analysis of Threat Groups Molerats and APT-C-37, https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37

Target sector

Aerospace
Defense
Energy
Financial Services
Government and administration agencies
High-Tech
Media

Target countries

Afghanistan
Algeria
Canada
Chile
China
Denmark
Djibouti
Egypt
Germany
New Zealand
Morocco
Russian Federation
Qatar
North Macedonia
Palestine
Oman
Israel
Jordan
Korea, Republic of
Iraq
Iran, Islamic Republic Of
India
Kuwait
Libya
Lebanon
Latvia
Saudi Arabia
Serbia
Slovenia
Somalia
Syrian Arab Republic
Turkey
United Arab Emirates
United Kingdom Of Great Britain And Northern Ireland
United States Of America
Yemen

Attack pattern

T1003 - Credential Dumping
T1008 - Fallback Channels
T1047 - Windows Management Instrumentation
T1057 - Process Discovery
T1091 - Replication Through Removable Media
T1116 - Code Signing
T1491 - Defacement
T1566.001 - Spearphishing Attachment
T1566.002 - Spearphishing Link

Motivation

Ideology

Malwares

DHS2015 / iRat
DHS Spyware
DropBook
DustySky
Falcons’ Backdoor
Falcons’ Downloader
LastConn
MoleNet
Molerat Loader
Pierogi
PoisonIvy
Scote
SharpStage
Spark
TajMahal APT Framework
XtremeRAT

Vulnerabilities

CVE-2017-0199